Cybersecurity experts have identified a new campaign that utilizes web injects to deliver a newly discovered Apple macOS malware, known as FrigidStealer.
This activity has been linked to a previously unknown threat actor, referred to as TA2727, which also distributes information stealers for other platforms, including Windows (Lumma Stealer or DeerStealer) and Android (Marcher).
According to the Proofpoint Threat Research Team, TA2727 is a “threat actor that uses fake update themed lures to distribute a variety of malware payloads,” as stated in a report shared with The Hacker News.
TA2727 is one of the newly identified threat activity clusters, along with TA2726, which is believed to be a malicious traffic distribution system (TDS) operator that facilitates traffic distribution for other threat actors to deliver malware. This financially motivated threat actor is thought to have been active since at least September 2022.
TA2726 acts as a TDS for TA2727 and another threat actor called TA569, which is responsible for distributing a JavaScript-based loader malware known as SocGholish (also known as FakeUpdates), often disguising itself as a browser update on legitimate-but-compromised sites.
“TA2726 is financially motivated and works with other financially motivated actors, such as TA569 and TA2727,” the company noted. “This actor is most likely responsible for the web server or website compromises that lead to injects operated by other threat actors.”
Both TA569 and TA2727 share similarities in that they are distributed via websites compromised with malicious JavaScript website injects that mimic browser updates for web browsers like Google Chrome or Microsoft Edge. However, TA2727 differs in its use of attack chains that serve different payloads based on recipients’ geography or device.
If a user visits an infected website in France or the U.K. on a Windows computer, they are prompted to download an MSI installer file that launches Hijack Loader (also known as DOILoader), which, in turn, loads Lumma Stealer.
On the other hand, the same fake update redirect, when visited from an Android device, leads to the deployment of a banking trojan known as Marcher, which has been detected in the wild for over a decade.
As of January 2025, the campaign has been updated to target macOS users outside of North America, redirecting them to a fake update page that downloads a new information stealer codenamed FrigidStealer
Source Link
