MacOS MetaStealer Malware: Obfuscated Go Infostealer Threat

This post dives into MacOS MetaStealer malware, a new family of obfuscated Go infostealers targeting business users through social engineering and malicious DMG droppers.

You’ll learn how it operates, the signs to watch for, and best practices to defend your MacOS environment.

MacOS MetaStealer malware Overview

What Is MacOS MetaStealer malware?

MetaStealer is a Go based infostealer that emerged in mid 2023. Unlike typical MacOS malware dispersed via torrents or cracked software, these droppers masquerade as legitimate business documents luring victims to mount disk images and unwittingly execute the payload.

Anatomy of a Malicious Application Bundle

DMG Contents

Each MetaStealer disk image contains:

An Info.plist defining the bundle.
A Resources folder with icons.
A MacOS folder holding the obfuscated executable.

Execution Requirements

No Code Signature: Victims must override Gatekeeper or OCSP protections.
Intel x86 Only: Samples lack support for Apple silicon without Rosetta.

Deep Dive: Obfuscated Go Executable

How It Is Obfuscated

Stripped Build IDs: Function names removed with tools like Garble.
Go Artifacts: Despite obfuscation, routines for exfiltrating the keychain, saved passwords, and files remain detectable.

Network Indicators

Connections to domains such as api.osx-mac[.]com and db.osx-mac[.]com.
TCP calls to IPs 13[.]125.88[.]10 or 13[.]114.196[.]60 on port 3000.

Related Threats: Comparing MetaStealer and Atomic Stealer

Delivery Vectors: Atomic Stealer uses malvertising; MetaStealer uses business lures.
Code Overlap: Both are Go-based and use AppleScript for error prompts but show minimal shared code.
Possible Links: Similar techniques may indicate shared developers or parallel evolution.

Mitigation Strategies for macOS MetaStealer malware

Deploy Advanced Endpoint Protection: Use solutions that detect on write and on execution (e.g., SentinelOne Singularity).
Monitor Indicators of Compromise: Hunt for known domain calls and Mach-O hashes.
Enforce Gatekeeper Policies: Require signed software and block unsigned app execution.
User Awareness Training: Warn staff about opening unexpected DMG’s, even if they appear work related.

Conclusion

The emergence of MacOS MetaStealer malware underscores a shift toward precisely targeted infostealers disguised as business files.

By understanding its delivery methods, obfuscation tactics, and network indicators, security teams can shore up defenses and protect valuable credential stores.