- Proofpoint researchers observe two groups that engage in “false update” attacks
- Groups have their distinct assignments against macOS devices
- The objective is to distribute Frigidstealer, a new malicious software to infosteller
Cybercriminals use false macOS updates to distribute new malicious software called Frigidstealer, said new research.
Cybersecurity researchers, Proofpoint, recently observed two new threat stakeholders distributing malware, followed in TA2726 and TA2727, working together on different parts of the same campaign to bring macos users to install Frigidstealer.
They opted for the method of distributing the “false update”, where the victims would visit a compromised website which would serve a popup. This popup would warn users that they had to update their Mac or their browsers, in order to view the content of the website.
Targeting Windows, Linux, MacOS and Android
Instead of a real update, the victims would download and execute the installer for the Malware Frigidstealer, who did what infosteralists do – he steals information, including browser cookies, files containing words pass or data related to cryptocurrency, Apple notes and similar files.
The stolen data is stored in the personal user directory before being sent to the attacker’s control and control server (C2): ASKFORUPDATE[.]org.
Proofpoint says that malware is distributed by TA2727, a cybercriminal group with financial motivation. TA2726, on the other hand, acts as a trafficking system operator (TDS), redirecting web traffic to the useful charges of TA2727.
The majority of targets seem to be located in North America and Europe, and in addition to frigidstealer, the crooks also use Lumma Stealer and Deenerdeer for Windows targets, and bank goods walk for Android users.
False update attacks are not new, they have existed for years. The Socgholish malicious software campaign, attributed to the threat actor Ta569, is recognized as one of the most prolific users of these attacks. Active since at least April 2018, Socgholish uses a malicious javascript injected into compromise websites to present to visitors deceptive prompts for software updates, such as false browsers or Flash Player updates.
