“Upon execution, FrigidStealer makes use of Apple script recordsdata and osascript to immediate the consumer to enter their password, after which to assemble knowledge together with browser cookies, recordsdata with extensions related to password materials or cryptocurrency from the sufferer’s Desktop and Paperwork folders, and any Apple Notes the consumer has created,” Proofpoint researchers added.
The marketing campaign additionally accommodates Home windows and Android assaults with focused payloads. TA2726, which acts as a site visitors distribution system (TDS) within the assault chain, redirects customers to malware primarily based on location and machine kind. The group permits malware distributors like TA569 and TA727 to ship malware by compromising web sites and inserting rogue JavaScript into internet pages serving as pretend updates.
As an illustration, within the assaults seen by Proofpoint, TDS redirected North American guests to SocGholish malware, whereas different areas obtained TA2727 payloads like Lumma Stealer (Home windows), DeerStealer (Home windows), FrigidStealer (Mac), and Marcher (Android).
