MacOS Security Alert: Emerging Malware Threatens Keychain, Chrome, Brave, and Opera
Update, Dec. 10, 2024: This report, initially published Dec. 09, has been revised with comments from Brave.
Hackers have discovered a disturbing new scam that specifically targets macOS users, exploiting them to download malicious software. The objective is to steal passwords from the keychain and various web browsers, such as Chrome, Brave, and Vivaldi. The campaign, which has been operational for an alarming four months, employs false businesses to manipulate trust and distributes malware under the guise of a video meeting application. Here's what you should know.
The Dangerous Mac Malware Threat to Your Passwords Revealed
In a recent report published by Tara Gould, the threat research lead at Cado Security Labs, a new sophisticated scam targeting macOS users with AI-generated content has been unveiled. The scam aims to trick users into downloading a video call meeting application that, surprise, surprise, is actually malware disguised as legitimate software. "Gould stated", the threat actors created a website with AI-generated content, along with social media accounts, to appear as a legitimate company.
The threat analysis demonstrated that victims have been targeted through various methods, including known contacts on Telegram discussing a business opportunity that wasn't an investment proposal, as well as calls related to their work with blockchain technologies and cryptocurrencies.
In a separate analysis by Joshua Long, chief security analyst at Mac security experts Intego, users are warned that the same fake meeting software could potentially be used in other scam campaigns, with this variation capable of targeting individuals regardless of their interests.
The malware aims to steal sensitive data from the macOS Keychain, including password databases, as well as "various Chromium-based browsers (Google Chrome, Microsoft Edge, Arc, Brave, Opera, Vivaldi, and the Vietnamese browser Cốc Cốc), the Telegram Messenger app, and popular cryptocurrency wallets." The browser data targeted includes session cookies, a favorite among hackers as they can be used to bypass two-factor authentication protections.
Although the download page that victims are redirected to claims to offer an application for macOS, Linux, and Windows operating systems, Gould said that "all download links lead to the macOS version." When the download file is opened, Gould continued, an error message is displayed saying it cannot connect to the server and asking the user to reinstall or use a VPN. A not-so-helpful "continue" button leads to a macOS password prompt.
Protecting Yourself Against the Mac Malware Threat
The use of AI in this latest campaign highlights how threat actors are able to quickly shift attacks to create new, realistic websites with content that adds legitimacy and makes scam identification more challenging for the average user. "Gould advised", users need to be cautious when approached about business opportunities, especially through Telegram.
"If you utilize Intego VirusBarrier", Long said, "you're already safeguarded against this malware. Intego detects samples from this campaign as OSX/ChainBreaker.fs, OSX/Stealer.ext, Python/KeychainDump, and trojan/TR/PSW.Agent.lyel."
Apple, Google, and Opera have been contacted for a statement.
A spokesperson from Brave commented: "One effective way to safeguard against malware is avoiding unnecessary software installations. We are aware of sites impersonating Brave Talk and would like to remind everyone that the genuine Brave Talk can only be found here and will never request users to install anything. We also encourage our users to report malicious sites to [email protected], enabling us to get them removed."
I would also suggest that anyone interested in securing their systems and passwords, no matter the operating system platform, reads the advice in "this captivating guide to understanding how phishing scams work" and the most effective techniques to counter them.
- To protect your macOS from the password theft, ensure you have a strong and unique macOS password for the keychain.
- Brave urges users to avoid installing unnecessary software to safeguard against malware, as the genuine Brave Talk can only be found on their official website.
- The new mac malware targets passwords stored in the macOS Keychain and various Chromium-based browsers, including Brave, Chrome, Opera, and Vivaldi.
- The use of AI in this scam makes it challenging for users to identify false websites and downloads, highlighting the importance of being cautious when approached about business opportunities, especially through Telegram.
- To counter phishing scams effectively, it's crucial to understand how they work and employ techniques like checking the sender's email address and using password managers to store and manage sensitive information securely.
