- Microsoft warns that macOS now faces a rapidly expanding ecosystem of data theft and malware
- Threat actors use social engineering and malicious ads to deliver DMG installers with variants such as DigitStealer, MacSync, and AMOS.
- Attackers target browser sessions, cloud tokens, and developer credentials, while abusing legitimate tools like WhatsApp and Google Ads for propagation.
Gone are the days when Windows was always the number one target for cybercriminals; New research found that macOS is equally important, with users facing a “rapidly expanding” malware ecosystem, social engineering tactics, and legitimate but weaponized tools.
A Microsoft report found that hackers are using social engineering techniques such as ClickFix (faking a problem and offering a “fix”) and malicious advertising campaigns to deliver disk image installers (DMGs).
These installers then remove all sorts of nasty stuff, but a few malware variants stand out: DigitStealer, MacSync, and Atomic macOS Stealer (AMOS). Microsoft also said that cross-platform malware, such as those written in Python, is accelerating the activity of information thieves by allowing threat actors to adapt quickly in mixed environments.
Long-lasting aggregation effort
Most of the time, criminals are interested in stealing sensitive data. However, that no longer means just passwords: it also includes browser sessions, keychains, cloud tokens, and developer credentials, as these secrets enable account takeovers, supply chain compromise, BEC and ransomware attacks, and in some cases, outright cryptocurrency theft.
Microsoft also noted abuse of legitimate tools and services. For example, hackers have been seen compromising people’s WhatsApp accounts and then using them to spread data stealers and other malware.
In other cases, they have seen malicious ad campaigns running on the Google Ads network, promoting a fake PDF editor that not only implements an information stealer, but also establishes persistence.
The company has also shared a long list of recommendations and mitigations that businesses should follow, including educating employees about phishing, monitoring for suspicious Terminal activity, and inspecting network output for POST requests to suspicious or newly registered domains.
Additionally, enterprises should enable cloud-delivered protection in Defender, implement cloud-based machine learning protections, run EDR in block mode, and more.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
