- Microsoft warns that macOS is now facing a rapidly growing malware and infostealer ecosystem
- Threat actors use social engineering and malicious ads to deliver DMG installers with variants such as DigitStealer, MacSync and AMOS
- Attackers target browser sessions, skytokens and developer credentials while misusing legitimate tools like WhatsApp and Google Ads for propagation
Gone are the days when Windows was always the biggest target for cybercriminals – as new research has found that macOS is just as important, with users facing a “rapidly expanding” ecosystem of malware, social engineering tactics and legitimate but weaponized tools.
A Microsoft report found that hackers use social engineering techniques like ClickFix (faking a problem and offering a “fix”) and malicious advertising campaigns to deliver disk image (DMG) installers.
These installers then drop all sorts of nasties, but a few malware variants stand out – DigitStealer, MacSync and Atomic macOS Stealer (AMOS). Microsoft also said that cross-platform malware, such as those written in Python, accelerates infostealer activity as it allows threat actors to quickly adapt across mixed environments.
Long-term consolidation efforts
Most of the time, the bad guys are interested in stealing sensitive data. However, that no longer just means passwords – it also includes browser sessions, keychains, cloud tokens and developer credentials, as these secrets enable account takeovers, supply chain compromise, BEC and ransomware attacks, and in some cases outright theft of cryptocurrency.
Microsoft also observed misuse of legitimate tools and services. For example, it has seen hackers compromise people’s WhatsApp accounts and then use them to spread info stealers and other malware.
In other cases, they have seen malicious ad campaigns running on the Google Ads network promoting a fake PDF editor that not only implements an infostealer but also establishes persistence.
The company also shared a long list of recommendations and restrictions that companies should follow, including educating employees about phishing, monitoring for suspicious terminal activity, and inspecting network egress for POST requests to newly registered or suspicious domains.
Enterprises should also enable cloud-delivered protection in Defender, deploy cloud-based machine learning protections, run EDR in block mode, and more.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
