FrigidStealer, a new MacOS malware, and the sophisticated techniques employed by the cybercriminal groups TA2726 and TA2727 responsible for its distribution. The malware campaign leverages web injection attacks, a tactic previously associated with the group TA569 and their use of SocGholish.
The Rise of TA2726 and TA2727
Previously, web injection malware was primarily distributed by TA569, known for using SocGholish, often disguised as fake updates, leading to malware installation and subsequent ransomware attacks.
“The cybercriminals became almost synonymous with ‘fake updates’ within the security community,” according to Proofpoint researchers.
However, in early 2023, new threat actors, TA2726 and TA2727, emerged, adopting similar web injection and traffic redirection techniques.
Understanding Web Injection Attacks
These attacks typically involve three components:
- Malicious injects served to website visitors.
- A traffic distribution service (TDS) determining the payload delivered to each user.
- The malicious payload downloaded by the injected script.
Proofpoint suggests TA2726, active since approximately 2022, may be responsible for compromising websites, allowing other threat actors to deploy their injects.
TA2727’s Multi-Platform Approach
TA2727 was identified in January 2024 during an investigation of a suspected TA569 attack. This group’s campaign delivered varied payloads based on user location and browser. “In the campaign, emails contained URLs linking to websites compromised with malicious JavaScript website injects. When a user visited a compromised website, TDS domains directed traffic to various actor-controlled domains to deliver a malicious payload,” explains Proofpoint’s blog post.
In North America (US and Canada), TA2727 used SocGholish. In the UK and France, a different fake update chain was deployed, adapting the payload based on the user agent and browser. On Windows systems using Edge or Chrome, users were redirected to a fake browser update page. Clicking “Update” downloaded an MSI file.
“After clicking the ‘Update’ button, an MSI file was downloaded, and the webpage displayed instructions on how to install the payload,” states the Proofpoint report. The MSI file contained DOILoader on Windows and the Marcher banking trojan on Android.
FrigidStealer MacOS Malware Targeting MacOS Users
Early in 2024, the malware campaign expanded to target MacOS users. The same “fake update” tactic was used, with the TDS delivering a DMG file. The malware distributed depended on the user’s browser, demonstrating sophisticated filtering. “Right-clicking and selecting ‘Open’ bypassed the MacOS security feature Gatekeeper,” highlighting a vulnerability exploited by the attackers.
This sophisticated MacOS malware campaign, utilizing FrigidStealer and employing techniques like web injection and browser-based payload delivery, underscores the evolving threat landscape and the need for robust cybersecurity measures. The involvement of multiple cybercriminal groups, including TA2726 and TA2727, further complicates the issue, demanding vigilance from both individuals and organizations.
