FrigidStealer is a new information stealer that targets macOS users. The threat actor, TA2727, leverages social engineering tactics, tricking users into downloading what they believe are legitimate browser updates.
These updates, however, are Trojanized, installing FrigidStealer onto the victim’s system. The distribution network is particularly concerning. TA2727 collaborates with TA2726, which operates a malicious TDS. This system redirects users to compromised websites or directly delivers the malware. The involvement of TA2726, known for distributing SocGholish, signifies a well-established and dangerous distribution infrastructure.
- It is delivered via fake browser updates.
- It is distributed by a threat actor known as TA2727.
- TA2727 is a financially motivated threat actor that has been active since at least September 2022.
- It is distributed via websites that have been compromised with malicious JavaScript.
- It is also distributed via a malicious traffic distribution system (TDS) operated by another threat actor known as TA2726.
- TA2726 is also responsible for the distribution of a JavaScript-based loader malware known as SocGholish (aka FakeUpdates).
Proofpoint identified and named two new cybercriminal threat actors operating components of web inject campaigns, TA2726 and TA2727.
The web inject campaign landscape is increasing, with a variety of copycat threat actors conducting similar campaigns, which can make it difficult for analysts to track.
Typically, an attack chain will consist of three parts: the malicious injects served to website visitors, which are often malicious JavaScript scripts; a traffic distribution service (TDS) responsible for determining what user gets which payload based on a variety of filtering options; and the ultimate payload that is downloaded by the script. Sometimes each part of the attack chain is managed by the same threat actor, but frequently the different parts of the chain may be managed by different threat actors.
Impact:
- Data Theft: FrigidStealer is designed to steal sensitive information, including:
- Login credentials.
- Financial data.
- Personal files.
- Browser data like cookies and history.
- Financial Loss: Stolen credentials and financial data can lead to significant financial losses for victims.
- Privacy Violation: The theft of personal files and information represents a severe breach of privacy.
- System Compromise: The malware can potentially open backdoors for further malicious activity.
Mitigation and Prevention:
- Verify Software Updates: Always download browser updates directly from the official vendor’s website.
- Exercise Caution: Be wary of pop-up windows or prompts offering software updates from unfamiliar sources.
- Install Security Software: Maintain up-to-date antivirus and anti-malware software on your macOS system.
- Enable Firewall: Ensure your macOS firewall is enabled and configured correctly.
- Educate Yourself: Stay informed about the latest cybersecurity threats and best practices.
- Regular Backups: Regularly backup important data to an external drive or cloud service.
- Javascript control: Consider disabling Javascript on websites that are not trusted.
