- TestPoint researchers observe two groups participating in “false update” attacks
- The groups have their separate tasks against macOS devices
- The goal is to distribute Frigidstealer, a new infant malware
Cybercriminals are using fake macOS updates to distribute a new piece of malware called Frigidstealer, according to new research.
Cybersecurity researchers, Testbeppoint, recently observed two new threat actors that distribute malware, tracked such as TA2726 and TA2727, working together in different parts of the same campaign for macOS users to install frigidstealer.
They opted for the “false update” distribution method, where the victims would visit a committed website that would serve an emerging window. That emerging window would warn users who needed to update their Mac or their browsers, to see the content of the website.
Direct Windows, Linux, Macos and Android
Instead of a real update, the victims would download and execute the FrigidStealer malware, which did what infoster usually do: steal information, including browser cookies, files containing passwords or data related to cryptocurrencies , Apple and similar notes files.
The stolen data is stored in the user’s start directory before being sent to the attacker’s command and control server (C2): Askforupdate[.]org.
ProofPoint says that malware is distributed by TA2727, a financially motivated cybercriminal group. TA2726, on the other hand, acts as an operator of the Traffic Distribution System (TDS), redirecting web traffic to the useful loads of TA2727.
Most of the objectives seem to be located in North America and Europe, and in addition to Frigidstealer, the Crooks are also using Lumma Stealer and Deerstealer for Windows goals, and Trojan of Banking Marches for Android users.
False update attacks are nothing new, they have existed for years. The Socgholish malware campaign, attributed to the threat actor TA569, is recognized as one of the most prolific users of these attacks. Active from at least April 2018, Socgholish uses malicious javascript injected into websites compromised to present visitors deceptive indications for software updates, such as the false browser or the updates of Flash players.
