MetaStealer Family of Go Infostealers Targeting Businesses Using macOS

SentinelOne researchers uncover an infostealers campaign targeting businesses utilizing macOS dubbed the “MetaStealer” family.
Farknot Architect - stock.adobe.com. Business woman holding and using iphone 11 Pro Max smart phone and Apple MacBook Pro laptop computer.

On September 11, 2023, SentinelOne researchers reported the technical details a campaign targeting unspecified businesses that operate macOS in their environments with a series of infostealers written in Go they dubbed the “MetaStealer” family.

Context

According to the report, the campaign has been “proactively targeting macOS businesses by posing as fake clients in order to socially engineer victims into launching malicious payloads” for the past few months. The researchers also note that Apple has released a signature for XProtect that detects some variants of the MetaStealer Family.

Technical Details

According to SentinelOne researchers, the primary objective of the campaign is “exfiltrating valuable keychain and other information” from businesses to be used in further cybercriminal activity. Researchers provided the following key technical details:

  • “Many of the samples of MetaStealer we have observed are distributed in malicious application bundles contained in disk image format (.dmg) with names indicating that the targets were business users of Mac devices.
  • The main executable in MetaStealer bundles is an Intel x86 Mach-O containing compiled and heavily obfuscated Go source code.
  • The applications inside the MetaStealer disk images contain the minimum required to form a valid macOS bundle, namely an Info.plist file, a Resources folder containing an icon image and a MacOS folder containing the malicious executable.”

Community Impact

The SentinelOne report did not identify the geolocations or industry verticals of targeted businesses, nor the number of targets. Thus, there is currently no public information to determine whether organizations in the retail, hospitality, or travel sectors have been targeted. However, organizations are advised to maintain awareness around the MetaStealer family, as well as other infostealer malware, which are frequently leveraged against organizations in the RH-ISAC community. Organizations are encouraged to ingest the indicators of compromise (IOCs) provided by SentinelOne and ensure all Apple devices are completely up to date where possible.

IOCs

SentinelOne provided the following IOCs:

Indicator

Type

Notes

00b92534af61a6192321
0bfc688c1b2a4fecb1bb

SHA-256

Dropper: AdobeOfficialBriefDescription
[.]dmg

51e8eaf98b77105b448f
4a0649d8f7c98ac8fc66

SHA-256

Dropper: Adobe Photoshop 2023
(with AI) installer[.]dmg

14da5241119bf64d9a7ff
c2710b3607817c8df2f

SHA-256

Dropper: Advertising terms of reference
(MacOS presentation)[.]dmg

c2cd344fbcd2d356ab82
31d4c0a994df20760e3e

SHA-256

Dropper: AnimatedPoster[.]dmg

5ba3181df053e35011e9e
bcc5330034e9e895bfe

SHA-256

Dropper: CardGame[.]dmg

dec16514cd256613128b
93d340467117faca1534

SHA-256

Dropper: Conract for paymen &
confidentiality agreement
Lucasprod[.]dmg

d3fd59bd92ac03bccc119
19d25d6bbfc85b440d3

SHA-256

Dropper: FreyaVR 1[.]6[.]102[.]dmg

3033c05eec7c7b98d175
df2badd3378e5233b5a2

SHA-256

Dropper: Matrix[.]dmg

345d6077bfb9c55e3d89b
32c16e409c508626986

SHA-256

Dropper: OfficialBriefDescription
[.]app[.]zip

35bfdb4ad20908ac85d00
dcd7389a820f460db51

SHA-256

Dropper: P7yersOfficialBrief
Description 1[.]0[.]dmg

aa40f3f71039096830f29
31ac5df2724b2c628ab

SHA-256

Dropper: PDF[.]app[.]zip

e49c078b3c3f696d004f1
a85d731cb9ef8c662f1

SHA-256

Dropper: TradingView[.]dmg

3161e6c88a4da5e09193b
7aac9aa211a032526b9

SHA-256

Dropper: YoungClass brief
presentation Mac 20OS[.]zip

61c3f2f3a7521920ce2db
9c9de31d7ce1df9dd44

SHA-256

Dropper: YoungSUG(Cover references,tasks,logos,brief)\
YoungSUG_Official_Brief_Description
_LucasProd[.]dmg

0edd4b81fa931604040d
4c13f9571e01618a4c9c

SHA-256

Mach-O Binaries – Intel x86_64

13249e30a9918168e79c
db0f097e4b34fbbd891f

SHA-256

Mach-O Binaries – Intel x86_65

13bcebdb4721746671e
0cbffbeed1d6d92a0cf6c

SHA-256

Mach-O Binaries – Intel x86_66

1424f9245a3325c513a0
9231168d548337ffd698

SHA-256

Mach-O Binaries – Intel x86_67

148bc97ff873276666e0
c114d22011ec042fb9b9

SHA-256

Mach-O Binaries – Intel x86_68

15c377eb5a69f93fa833e
845d793691a623f928c

SHA-256

Mach-O Binaries – Intel x86_69

166ff1cd47a45e47721bb
497b83cc84d8269b308

SHA-256

Mach-O Binaries – Intel x86_70

1b3ce71fa42f4c0c16af1b
8436fa43ac57d74ce9

SHA-256

Mach-O Binaries – Intel x86_71

1cc66e194401f2164ff1cb
c8c07121475a570d9f

SHA-256

Mach-O Binaries – Intel x86_72

1df31db0f3e5c381ad734
88b4b5ac5552326baac

SHA-256

Mach-O Binaries – Intel x86_73

1df8ff1fe464a0d9baaeea
d3c7158563a60199d4

SHA-256

Mach-O Binaries – Intel x86_74

1e5319969d6a53efc0ec1
345414c62c810f95fce

SHA-256

Mach-O Binaries – Intel x86_75

291011119bc2a777b33cc
2b8de3d1509ed31b3da

SHA-256

Mach-O Binaries – Intel x86_76

2c567a37c49af5bce4a23
6be5e060c33835132cf

SHA-256

Mach-O Binaries – Intel x86_77

33a5043f8894a8525eeb2
ba5d80aef80b2a85be8

SHA-256

Mach-O Binaries – Intel x86_78

34c7977e20acc8e641390
87bd16f0b0a881b044f

SHA-256

Mach-O Binaries – Intel x86_79

3589dd0d01527ca4e8a2e
c55159649083b0c50a8

SHA-256

Mach-O Binaries – Intel x86_80

35c3b735949151aae28e
bf16d24fb32c8bcd7e6b

SHA-256

Mach-O Binaries – Intel x86_81

35e14d8375f625b04be43
019ccb8be57656b15cf

SHA-256

Mach-O Binaries – Intel x86_82

394501f410bd9cb4f4432a
32b17348cdde3d4157

SHA-256

Mach-O Binaries – Intel x86_83

47620d2242dfaf14b776656
2e812b7778a342a48

SHA-256

Mach-O Binaries – Intel x86_84

57c2302c30955527293e
d90bfaf627a4132386fb

SHA-256

Mach-O Binaries – Intel x86_85

65de53298958b4f137c4
bd64f31f550dd2199c36

SHA-256

Mach-O Binaries – Intel x86_86

70625f621f91fd6b1a433
a52e57474316e0df662

SHA-256

Mach-O Binaries – Intel x86_87

78e8f9a93b56adc8e030
403ba5f10f527941f6ae

SHA-256

Mach-O Binaries – Intel x86_88

80c83e659c63c963f55c
8add4bf62f9bec73d44e

SHA-256

Mach-O Binaries – Intel x86_89

816fdf1fd9cf9aff2121d1
b59c9cca38b5e4eb9d

SHA-256

Mach-O Binaries – Intel x86_90

86eb7c6a4d4bec5abeb6b
44e0506ab0d5a96235d

SHA-256

Mach-O Binaries – Intel x86_91

8dfeda030bd3b38592b29
d633c40e041d5f3331d

SHA-256

Mach-O Binaries – Intel x86_92

8ec57c1b1b5409cadb99b
050c3c41460d4c7fea8

SHA-256

Mach-O Binaries – Intel x86_93

8f211c0ef570382685d02
4cc8e6e8acd4a137545

SHA-256

Mach-O Binaries – Intel x86_94

90d7f8acf3524fcb58c7d7
874a5b6e8194689b1a

SHA-256

Mach-O Binaries – Intel x86_95

92b178817a6c9ad22f10b
52e9a35a925a3dc751b

SHA-256

Mach-O Binaries – Intel x86_96

a54c9906d41b04b9daf89
c2e6eb4fdd54d0eae39

SHA-256

Mach-O Binaries – Intel x86_97

a8724eb5f9f8f4607b3841
54f0c398fce207259e

SHA-256

Mach-O Binaries – Intel x86_98

b51d7482d38dd19b2cb1
cd303e39f8bddf5452ac

SHA-256

Mach-O Binaries – Intel x86_99

bd6b87c6f4f256fb25536
27003e8bce58689d1d8

SHA-256

Mach-O Binaries – Intel x86_100

bdd4ce8c2622ddcf0888
e05690c8b3d1a8c83dae

SHA-256

Mach-O Binaries – Intel x86_101

be1ac5ed5dfd295be15b
a5ed9fbb69f10c8ec872

SHA-256

Mach-O Binaries – Intel x86_102

c37751372bb6c970ab5c
447a1043c58ce49e10a5

SHA-256

Mach-O Binaries – Intel x86_103

c4d9272ef906c7bf4ccc2a
11a7107d6b7071537b

SHA-256

Mach-O Binaries – Intel x86_104

c5429b9b4d1a8e147f591
8667732049f3bd55676

SHA-256

Mach-O Binaries – Intel x86_105

caf4fb1077cea9d75c8ae9
d88817e66c870383b5

SHA-256

Mach-O Binaries – Intel x86_106

cf467ca23bdb81e008e73
33456dfceb1e69e9b8a

SHA-256

Mach-O Binaries – Intel x86_107

cfa56e10c8185792f8a9d
1e6d9a7512177044a8b

SHA-256

Mach-O Binaries – Intel x86_108

d7de135a03a2124c6e0d
fa831476e4069ebfba24

SHA-256

Mach-O Binaries – Intel x86_109

dbf0983b29a175ebbcf71
32089e69b3999adeca7

SHA-256

Mach-O Binaries – Intel x86_110

dfd5adb749cbc5608ca9
15afed826650fcb0ff05

SHA-256

Mach-O Binaries – Intel x86_111

e5cfc40d04ea5b1dac2d
67f8279c1fd5ecf053f6

SHA-256

Mach-O Binaries – Intel x86_112

f6f09ecc920eb694ed91e
4ec158a15f1fb09f5dd

SHA-256

Mach-O Binaries – Intel x86_113

f93dd5e3504fe79f7fcd6
4b55145a6197c84caa2

SHA-256

Mach-O Binaries – Intel x86_114

f97e22bad439d14c0539
66193fdfdec60b68b786

SHA-256

Mach-O Binaries – Intel x86_115

fce7a0c00bfed23d6d70b
57395e2ec072c456cba

SHA-256

Mach-O Binaries – Intel x86_116

13[.]114[.]196[.]60

IP Address

Network Communications

13[.]125[.]88[.]10

IP Address

Network Communications

api[.]osx-mac[.]com

Domain

Network Communications

builder[.]osx-mac[.]com

Domain

Network Communications

db[.]osx-mac[.]com

Domain

Network Communications

hXXps[:]//api[.]osx-mac[.]com/api/collections/
victims/records

URL

Network Communications

hXXp[:]//api[.]osx-mac[.]com/chainbreaker

URL

Network Communications

More Recent Blog Posts