New FrigidStealer Malware Attacking macOS Users to Steal Login Credentials
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
FrigidStealer, a sophisticated information-stealing malware that emerged in January 2025, is actively targeting macOS endpoints to steal sensitive user data through deceptive tactics.<\/p>\n
Unlike traditional malware, FrigidStealer exploits user trust in routine software updates, making it particularly insidious.<\/p>\n
The malware has raised significant concerns among cybersecurity experts due to its ability to bypass standard security measures while harvesting valuable personal information from unsuspecting users.<\/p>\n
The attack vector relies on social engineering techniques, specifically distributing malicious code via fake browser update pages hosted on compromised websites.<\/p>\n
Users are tricked into downloading a malicious disk image file (DMG) that requires manual execution.<\/p>\n
Once initiated, the malware bypasses macOS Gatekeeper protections by cleverly prompting users to enter their password via AppleScript, granting it elevated privileges on the system.<\/p>\n
Wazuh analysts identified<\/a> the malware\u2019s sophisticated operational mechanics during their recent investigation of emerging threats to macOS environments.<\/p>\n Their research revealed that FrigidStealer\u2019s financial motivations are potentially linked to the notorious EvilCorp syndicate, underscoring its serious threat to both individual users and enterprises.<\/p>\n The stolen data includes credentials and cryptocurrency wallets<\/a>, posing significant risks of identity theft and financial fraud.<\/p>\n Upon execution, the malware registers itself as an application named \u201cddaolimaki-daunito\u201d on the macOS endpoint, with the executable path typically located at \u201cVolumes\/Safari Updater\/Safari Updater.app.\u201d<\/p>\n This deceptive naming convention further enhances its ability to remain undetected by casual users who might mistake it for legitimate software<\/a> components.<\/p>\n FrigidStealer establishes persistence through sophisticated techniques that ensure it remains operational across system restarts.<\/p>\n The malware leverages launchservicesd as a foreground application with bundle ID \u201ccom.wails.ddaolimaki-daunito\u201d to maintain its presence on infected systems.<\/p>\n This persistence<\/a> strategy is particularly effective as it mimics legitimate system processes.<\/p>\n The data exfiltration process involves using Apple Events for unauthorized inter-process communication to target sensitive information.<\/p>\n This technique allows the malware<\/a> to access browser credentials, filesystem data, and system configuration details without triggering standard security alerts.<\/p>\n A sample of the malware\u2019s execution can be detected through the following command pattern:-<\/p>\n After successfully harvesting credentials and other valuable data, FrigidStealer exfiltrates the stolen information to command-and-control servers through DNS data exfiltration via the mDNSResponder process.<\/p>\n This technique is particularly insidious as it disguises malicious traffic as legitimate DNS queries, making detection challenging through conventional network monitoring tools<\/a>.<\/p>\n Following successful exfiltration, the malware terminates its main process to eliminate traces of its operation, further complicating forensic analysis.<\/p>\n As this threat continues to evolve, cybersecurity experts recommend implementing comprehensive endpoint protection specifically designed for macOS environments, maintaining vigilance regarding software update prompts, and utilizing specialized detection tools like Wazuh that can identify the unique behavioral patterns associated with FrigidStealer infections.<\/p>\n The post New FrigidStealer Malware Attacking macOS Users to Steal Login Credentials<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nPersistence Mechanism and Data Exfiltration<\/strong><\/h2>\n
# Detection of FrigidStealer DNS exfiltration\n\n macOS_mDNSResponder\n (?i)(DNSServiceQueryRecord).*mask.hash: '(S+)'.*pid:(d+).*((.+))\n program_type,hash,pid,process_name<\/code><\/pre>\nHow SOC Teams Save Time and Effort with ANY.RUN -\u00a0Live webinar for SOC teams and managers<\/a><\/code><\/strong><\/p>\n