CyberSecurity news
FlagThis
@gbhackers.com
//
FrigidStealer, an information-stealing malware targeting macOS users, has been identified as a significant threat since January 2025. The malware spreads through deceptive tactics, primarily by posing as legitimate browser updates. This approach exploits user trust and makes it a particularly insidious form of malware, as it doesn't rely on traditional exploit kits or vulnerabilities. Instead, it tricks users into downloading a malicious disk image file (DMG) disguised as a Safari update from compromised websites. Once downloaded, the DMG file requires manual execution, often bypassing macOS Gatekeeper protections by prompting users to enter their password via AppleScript.
The malware targets sensitive data on macOS endpoints, including browser credentials, cryptocurrency wallets, files, and system information. After installation, FrigidStealer registers itself as an application, "ddaolimaki-daunito," and establishes persistence via launchservicesd as a foreground application with the bundle ID "com.wails.ddaolimaki-daunito." It then uses Apple Events for unauthorized inter-process communication to harvest data. This stolen data is exfiltrated to a command-and-control (C2) server through DNS data exfiltration via mDNSResponder. Post-exfiltration, the malware terminates its processes to evade detection and remove associated jobs.
Cybersecurity experts at Wazuh, an open-source SIEM and XDR platform, have released detection capabilities to help combat FrigidStealer. Wazuh uses the macOS Unified Logging System (ULS) to monitor system logs and custom decoders and rules on the Wazuh server to detect suspicious activities. These activities include the malware's process registration, unauthorized Apple Events usage, and unusual DNS queries, all of which can be visualized on the Wazuh dashboard to enable swift incident response. The malware has been linked to TA2726 and TA2727, known for using fake browser updates as an attack vector, and potentially to the EvilCorp syndicate due to its financial motivations.
ImgSrc: blogger.googleu
References :
The malware targets sensitive data on macOS endpoints, including browser credentials, cryptocurrency wallets, files, and system information. After installation, FrigidStealer registers itself as an application, "ddaolimaki-daunito," and establishes persistence via launchservicesd as a foreground application with the bundle ID "com.wails.ddaolimaki-daunito." It then uses Apple Events for unauthorized inter-process communication to harvest data. This stolen data is exfiltrated to a command-and-control (C2) server through DNS data exfiltration via mDNSResponder. Post-exfiltration, the malware terminates its processes to evade detection and remove associated jobs.
Cybersecurity experts at Wazuh, an open-source SIEM and XDR platform, have released detection capabilities to help combat FrigidStealer. Wazuh uses the macOS Unified Logging System (ULS) to monitor system logs and custom decoders and rules on the Wazuh server to detect suspicious activities. These activities include the malware's process registration, unauthorized Apple Events usage, and unusual DNS queries, all of which can be visualized on the Wazuh dashboard to enable swift incident response. The malware has been linked to TA2726 and TA2727, known for using fake browser updates as an attack vector, and potentially to the EvilCorp syndicate due to its financial motivations.
ImgSrc: blogger.googleu
Share:
References :
- hackread.com: FrigidStealer Malware Hits macOS Users via Fake Safari Browser Updates
- Wazuh: Detecting FrigidStealer malware with Wazuh
- gbhackers.com: FrigidStealer Malware Targets macOS Users to Harvest Login Credentials
Classification:
- HashTags: #FrigidStealer #macOSMalware #CyberSecurity
- Company: Wazuh
- Target: macOS Users
- Attacker: FrigidStealer
- Product: macOS
- Feature: Browser Updates
- Malware: FrigidStealer
- Type: Malware
- Severity: Major