TechRepublic reports that the newly emergent TA2727 threat group has leveraged fraudulent browser updates to distribute the novel FrigidStealer macOS malware in web injection attacks that also involved the recently discovered TA2726 operation, which provided traffic distribution services.
TA2727's attack campaign, which were discovered in late January, entailed the insertion of malicious "Update" buttons on legitimate websites, which when clicked trigger automated DMG file downloads and the evasion of macOS Gatekeeper to eventually install FrigidStealer, according to a Proofpoint report. Execution of FrigidStealer then allows access and exfiltration of browser cookies, passwords and cryptocurrency-related information, and Apple Notes, said Proofpoint researchers, who urged the adoption of endpoint protection and network detection systems, script file download restrictions, and improved user training on such an attack. Such findings follow a SentinelOne report detailing mounting threats against enterprise macOS devices, as well as the rise of cross-platform malware development. "These trends suggest a deliberate effort by attackers to scale their operations while exploiting gaps in macOS defenses that are often overlooked in enterprise environments," noted SentinelOne threat researcher Phil Stokes.
