Cybercriminals Use Fake macOS Updates to Distribute Malware “FrigidStealer”

Cybercriminals are increasingly using fake macOS update prompts to spread a new malware known as FrigidStealer, according to recent findings by cybersecurity firm Proofpoint. The attack, attributed to two separate threat actors, TA2726 and TA2727, uses a clever technique that tricks macOS users into downloading and installing malware disguised as a software update.

How the Attack Works

The fake update campaign begins when users visit a compromised website that triggers a popup. The popup falsely warns users they need to update their macOS or browsers to continue accessing the site. Instead of a legitimate update, victims end up downloading and executing the FrigidStealer malware installer. This malware, typical of information stealers, steals sensitive data such as browser cookies, passwords, cryptocurrency information, and Apple Notes files.

Stolen data is stored on the victim’s device before being sent to the attacker’s command-and-control (C2) server located at askforupdate[.]org. Proofpoint’s research shows that TA2727 is responsible for distributing the malware, while TA2726 plays a crucial role as a Traffic Distribution System (TDS) operator, redirecting traffic to the malware payloads.

Targeting Multiple Platforms

Although the malware primarily targets macOS, other platforms are also affected. The attackers are using Lumma Stealer and DeerStealer to target Windows users, and the Marcher Banking Trojan to infect Android devices.

The victims of this campaign are mostly based in North America and Europe, according to Proofpoint’s observations. While fake update scams are not new, with previous campaigns like SocGholish (operating since 2018) using similar tactics, FrigidStealer’s emergence highlights the ever-evolving nature of cybercriminal tactics.

Conclusion

Cybercriminals continue to adapt their methods, with fake update prompts being an increasingly popular way to deliver malware. Users must be cautious about unsolicited update requests and ensure they are downloading software updates from trusted sources to avoid falling victim to these kinds of attacks.