Hackers are once again using dangerous info-stealing malware to target Mac users and siphon off passwords and other sensitive personal data from their computers.
As reported by The Hacker News, we’re actually dealing with two Mac malware strains here but while their infection methods may be different, they’re both designed to steal sensitive data from the best MacBooks and other Apple computers.
While the first infostealer is being distributed using malicious ads in Google and other search engines, the second one points potential victims to a fake website by using free software as a lure.
Here’s everything you need to know about these new malware campaigns along with some tips and tricks on how you can avoid having your Mac infected with malware.
Bad ads serving malware
Although Safari comes pre-installed on every computer running macOS, some Apple users prefer Google Chrome while others are interested in testing out new browsers with different features.
While it is based on Chromium like many other browsers, the Arc Browser does things a bit differently thanks to its unique sidebar and approach to bookmarks. Since its release back in 2022, the Arc Browser has become a popular Safari alternative for many Mac users.
The hackers behind this malware campaign are well aware of this fact and to capitalize on its popularity, they’ve purchased ad space on Google and other search engines advertising the Arc Browser. However, instead of taking you to the browser’s official site (https://arc.net/), these fake ads take unsuspecting users to look-alike sites like “airci[.]net” which serve malware.
In an effort to avoid detection, these look-alike sites can’t be accessed directly, Instead, they can only be accessed “through a generated sponsored link” according to a new report from Jamf Threat Labs, which first identified this campaign.
If a Mac user does click on one of these ads and then proceeds to download what they think is the Arc Browser, installing the included file (“ArcSetup.dmg”) actually puts the Atomic Stealer malware onto their Mac. The malware then uses a fake prompt to trick victims into inputting their system password which gives the hackers behind this campaign access to all of the sensitive data stored on their Mac.
Fake software stealing credentials
In addition to the one described above, Jamf’s security researchers also discovered a similar campaign that’s being used to distribute the Realst info-stealer malware.
This campaign uses a fake website called meethub[.]gg which claims to offer free group meeting scheduling software. However, when Mac users download and install it, they infect their computers with the Realst malware instead.
Just like with Atomic Stealer, Realst also uses a fake prompt to get victims to input their system passwords. From here though, the malware uses an AppleScript call to carry out its malicious activities on an infected Mac.
While this campaign uses free software as a lure, other ones spreading the Realst info-stealer in the past have used job opportunities or podcast interviews to trick unsuspecting users into installing the malware on their computers. What sets Realst apart from other Mac malware strains we’ve observed in the past is that it can bypass macOS’ Gatekeeper security feature which, as the name suggests, verifies downloaded applications to ensure they’re malware-free before they can be installed on your Mac.
As Jamf points out in its report, many of these attacks “are often focused on those in the crypto industry” since this can lead to a bigger payout for the hackers behind them. However, since fake ads and fake software are routinely used to distribute these infostealers, there’s always a chance that ordinary users can fall for them too.
How to stay safe from Mac malware
When it comes to keeping you and your Mac protected from malware, you need to be more careful online as both of these campaigns could have been easily avoided by taking a few precautions.
When looking for new software in Google and other search engines, it’s highly recommended that you scroll down to a developer’s actual site instead of clicking on the first result. The reason for this is that Google now displays ads at the top before you get to the actual search results underneath them. Anyone (including hackers and other cybercriminals) can purchase ad space online and if you do click on one of these fake ads, they can take you to a phishing page designed to steal your credentials or even to a malicious site distributing malware.
Besides fake ads, hackers often build elaborate websites promoting fake software that can appear legitimate at first glance. This is why I recommend sticking to software from known and reputable brands. Free software might seem appealing but you’ll end up paying a lot more in the long run if your Mac is infected with malware or worse, you end up having your identity stolen. Paid software is usually the safer route but there are plenty of legitimate free apps and programs out there. You just need to do your research first and ensure that you are on a company’s actual website when you go to download and install them.
While macOS has its own built-in malware scanner called XProtect, for additional protection, you also should consider using one of the best Mac antivirus software suites. Not only are their malware scanning engines updated more regularly but many of them also throw in other extra security features like a VPN or a password manager.
There’s a lot of money to be made from infecting Macs with malware which is why the hackers behind these and other similar campaigns likely won’t be slowing down anytime soon. Although owning a Mac used to mean dealing with fewer viruses than you would on one of the best Windows laptops, that’s just no longer the case. This means Mac owners now need to be extra careful online and this is especially true when it comes to downloading and installing new software.
More from Tom's Guide
