AppleInsider · Kasper's Automated Slave

Malware called "MetaStealer" is being used by hackers to attack businesses and to steal data from Intel-based Macs, with techniques including posing as legitimate app installers.

Malware attacks against macOS continue to be a problem, with users being coerced into opening executables being the main reason the attacks are successful. In a report detailing a family of macOS "infostealers" referred to as "MetaStealer," security researchers explain how it works by tricking users into opening disk images.

According to Phil Stokes of SentinelOne, MetaStealer attackers are targeting businesses running macOS systems. By pretending to be fake clients, victims are socially engineered into running the malicious payloads on their Mac.

Many samples supplied to SentinelOne reveal that the disk image file holding the payload was often given names that could be of interest to business users. This ranges from names for presentations, a "Concept A3 full menu with dishes and translations to English," and "Conract for paymen & confidentiality agreement Lucasprod" [sic], to the names of installers for Adobe products like Photoshop.

It is believed that targeting business users directly is an unusual move for malware users, as it is typically distributed in mass ways, such as in fake torrents.

The effort to achieve an installation is also made harder for hackers by a number of ways. Since the disk image contains the bare minimum content to exist beyond the payload, the file also tends to not include an Apple Developer ID string, nor use code signing at all, nor ad-hoc signing.

These create extra obstacles, namely that attackers have to somehow convince the would-be victim to override Gatekeeper and OCSP. All of the collected samples are single-architecture Intel x86_64 binaries, so while they would be usable on Intel Macs directly, they would need to use Rosetta to run on Apple Silicon Macs.

While users should be vigilant and use caution when opening questionable files sent by others, or downloaded from unofficial sources, Apple has already introduced some protective measures. As part of XProtect update x2170, Apple includes a detection signature that impacts some versions of MetaStealer.

SentinelOne has also released a list of Indicators of Compromise, intended for use by IT and security teams working for enterprise, which follows below.

Indicators of Compromise

MetaStealer Droppers

• AdobeOfficialBriefDescription.dmg 00b92534af61a61923210bfc688c1b2a4fecb1bb


• Adobe Photoshop 2023 (with AI) installer.dmg 51e8eaf98b77105b448f4a0649d8f7c98ac8fc66


• Advertising terms of reference (MacOS presentation).dmg 4da5241119bf64d9a7ffc2710b3607817c8df2f


• AnimatedPoster.dmg c2cd344fbcd2d356ab8231d4c0a994df20760e3e


• CardGame.dmg 5ba3181df053e35011e9ebcc5330034e9e895bfe


• Conract for paymen & confidentiality agreement Lucasprod.dmg dec16514cd256613128b93d340467117faca1534


• FreyaVR 1.6.102.dmg d3fd59bd92ac03bccc11919d25d6bbfc85b440d3


• Matrix.dmg 3033c05eec7c7b98d175df2badd3378e5233b5a2


• OfficialBriefDescription.app.zip 345d6077bfb9c55e3d89b32c16e409c508626986


• P7yersOfficialBriefDescription 1.0.dmg 35bfdb4ad20908ac85d00dcd7389a820f460db51


• PDF.app.zip aa40f3f71039096830f2931ac5df2724b2c628ab


• TradingView.dmg e49c078b3c3f696d004f1a85d731cb9ef8c662f1


• YoungClass brief presentation Mac 20OS.zip 3161e6c88a4da5e09193b7aac9aa211a032526b9


• YoungSUG(Cover references,tasks,logos,brief)\YoungSUG_Official_Brief_Description_LucasProd.dmg 61c3f2f3a7521920ce2db9c9de31d7ce1df9dd44

Network Communications - IPs

• 13[.]114.196[.]60


• 13[.]125.88[.]10

Network Communications - Domains

• api.osx-mac[.]com


• builder.osx-mac[.]com


• db.osx-mac[.]com

Developer ID

• Bourigaultn Nathan (U5F3ZXR58U)

Mach-O Binaries -- Intel x86_64

• 0edd4b81fa931604040d4c13f9571e01618a4c9c


• 13249e30a9918168e79cdb0f097e4b34fbbd891f


• 13bcebdb4721746671e0cbffbeed1d6d92a0cf6c


• 1424f9245a3325c513a09231168d548337ffd698


• 148bc97ff873276666e0c114d22011ec042fb9b9


• 15c377eb5a69f93fa833e845d793691a623f928c


• 166ff1cd47a45e47721bb497b83cc84d8269b308


• 1b3ce71fa42f4c0c16af1b8436fa43ac57d74ce9


• 1cc66e194401f2164ff1cbc8c07121475a570d9f


• 1df31db0f3e5c381ad73488b4b5ac5552326baac


• 1df8ff1fe464a0d9baaeead3c7158563a60199d4


• 1e5319969d6a53efc0ec1345414c62c810f95fce


• 291011119bc2a777b33cc2b8de3d1509ed31b3da


• 2c567a37c49af5bce4a236be5e060c33835132cf


• 33a5043f8894a8525eeb2ba5d80aef80b2a85be8


• 34c7977e20acc8e64139087bd16f0b0a881b044f


• 3589dd0d01527ca4e8a2ec55159649083b0c50a8


• 35c3b735949151aae28ebf16d24fb32c8bcd7e6b


• 35e14d8375f625b04be43019ccb8be57656b15cf


• 394501f410bd9cb4f4432a32b17348cdde3d4157


• 47620d2242dfaf14b7766562e812b7778a342a48


• 57c2302c30955527293ed90bfaf627a4132386fb


• 65de53298958b4f137c4bd64f31f550dd2199c36


• 70625f621f91fd6b1a433a52e57474316e0df662


• 78e8f9a93b56adc8e030403ba5f10f527941f6ae


• 80c83e659c63c963f55c8add4bf62f9bec73d44e


• 816fdf1fd9cf9aff2121d1b59c9cca38b5e4eb9d


• 86eb7c6a4d4bec5abeb6b44e0506ab0d5a96235d


• 8dfeda030bd3b38592b29d633c40e041d5f3331d


• 8ec57c1b1b5409cadb99b050c3c41460d4c7fea8


• 8f211c0ef570382685d024cc8e6e8acd4a137545


• 90d7f8acf3524fcb58c7d7874a5b6e8194689b1a


• 92b178817a6c9ad22f10b52e9a35a925a3dc751b


• a54c9906d41b04b9daf89c2e6eb4fdd54d0eae39


• a8724eb5f9f8f4607b384154f0c398fce207259e


• b51d7482d38dd19b2cb1cd303e39f8bddf5452ac


• bd6b87c6f4f256fb2553627003e8bce58689d1d8


• bdd4ce8c2622ddcf0888e05690c8b3d1a8c83dae


• be1ac5ed5dfd295be15ba5ed9fbb69f10c8ec872


• c37751372bb6c970ab5c447a1043c58ce49e10a5


• c4d9272ef906c7bf4ccc2a11a7107d6b7071537b


• c5429b9b4d1a8e147f5918667732049f3bd55676


• caf4fb1077cea9d75c8ae9d88817e66c870383b5


• cf467ca23bdb81e008e7333456dfceb1e69e9b8a


• cfa56e10c8185792f8a9d1e6d9a7512177044a8b


• d7de135a03a2124c6e0dfa831476e4069ebfba24


• dbf0983b29a175ebbcf7132089e69b3999adeca7


• dfd5adb749cbc5608ca915afed826650fcb0ff05


• e5cfc40d04ea5b1dac2d67f8279c1fd5ecf053f6


• f6f09ecc920eb694ed91e4ec158a15f1fb09f5dd


• f93dd5e3504fe79f7fcd64b55145a6197c84caa2


• f97e22bad439d14c053966193fdfdec60b68b786


• fce7a0c00bfed23d6d70b57395e2ec072c456cba

On the second day of Google's antitrust trial, Apple protested poor handling of secret data -- presumably about how much Google pays the company to stay iPhone's default search engine.

Google antitrust trial underway

The U.S. government is investigating Google for abusing its power as a search giant, led by Judge Amit Mehta. Key executives from Apple play a key role in this investigation due to the financial deals between Google and Apple around search.

In a report from the Washington Post, unspecified secret information was shared during the public opening statements on Tuesday, and Apple has filed a confidentiality protest. It seems Justice Department attorney Kenneth Dintzer shared data in the public call that Apple and Google believe to be part of the confidential trade secrets meant to be protected by the trial's proceedings.

The report didn't specify the numbers in question, but assume it is a statement where Dintzer says, "In 2020, Google paid 4 to 7 billion dollars under the ISA." The District Attorney claims this was public information and not confidential. The Information Services Agreement or ISA is the terms that Google pays Apple to be the search engine default.

The judge acknowledged Apple's protest but chose to keep moving forward with the trial.

"From where I'm sitting, everyone has been quite diligent," Judge Mehta said. "There's a large volume of material here."

Since significant confidential trade information is at play, the rest of the trial is being held behind closed doors. The Justice Department has the next month to present its case, followed by two weeks for state attorneys general to make a supplementary case.

Google will have three weeks to make its defense, starting October 25.

It's no secret that Google pays Apple some sum of money to remain the default search engine, but how much isn't clear. The $4 billion to $7 billion estimate mentioned in the trial seems incredibly conservative, considering rumors placed the number at about $9.5 billion in 2018.

Payments from Google have seemingly gone up since then, with $11 billion paid in 2020 and $15 billion in 2021. These incredible amounts are what the government argues is part of Google's abuse of power and stamping out competition.

This trial has only just begun and will take months to resolve. AppleInsider will provide additional updates as they become public.

Read on AppleInsider

Hidden in the background of many moments in Apple's iPhone 15 launch event were familiar old products, but there was also a very surprising omission.

Spot the iSight box in the background

Apple likes to make it look as if those presentations from the middle of an office are where people really work. We may never know if that's true or whether each one just a set like we've seen with living rooms and kitchens.

But whether it's a stage set or a carefully tidied up real office, this time we got to see more than usual. You always had to look behind the presenters or to the edge of frame, but if you did, you could catch famous Apple devices.

Apple talks A17 processor design

Around 64 minutes into the iPhone 15 launch video, Apple takes us into a quite wide, open plan area to listen to Sribalan Santhanam the company's vice president of Silicon Engineering Group, detail the benefits of A17 processor.

But if you look at the far wall at the very start as the camera heads into the room, you can make out an original Bondi Blue iMac on a shelf.

Even picked out in red, it's hard to see that there's an original iMac here

You really have to look for the next one because it begins right at the edge of the frame, and is then quickly obscured. But it appears to be a Macintosh SE, possibly a Macintosh SE/30.

Either a Macintosh SE or a Macintosh SE/30

Then later when he has moved across the room, he passes near a desk that has an iPhone on it. Although it isn't very clear, it appears to be an original iPhone.

That looks like an original iPhone on the desk

Behind the camera

Then at around 72 minutes in, we're taken to join Misha Scepanovic, Apple's Director of Optical Engineering, who talks about the iPhone 15 Pro's camera systems.

And does so while walking by what looks like the packaging for an iSight camera. That was discontinued by Apple around 2008.

Suitably blurry, that's an iSight camera in the background

A year before in 2007, Apple also discontinued its iPod Hi-Fi system. This was where you were intended to slot your iPod into the top of a speaker system, and we now learn that Apple held on to one.

Apple has held on to at least one iPod Hi-Fi

Not pictured

While there may even have been more such famous artifacts hidden around Apple Park and in the video, there was one striking omission.

Previously whenever we would see into these apparently real working spaces at Apple, there would be many Mac Pro machines on the floor beside desks.

There were none in this year's event video. Instead, every desk had a Mac Studio on it.

Maybe that's actually proof that these are genuine working spaces -- and that the New Mac Pro isn't cutting it.


Read on AppleInsider

Apple paused its iPhone 15 launch for an awkward five-minute comedy sketch showing a personified Mother Nature being impressed by the firm's environmental work -- and it didn't belong in the event at all.

Tim Cook in Apple's Mother Nature sketch

It would be so interesting to find out who wrote Apple's Mother Nature skit because the odds are that it was written while the Writers' Guild of America strike has been on. Leaving aside whether that's entirely legal -- a TV show wouldn't have been able to do it but a corporate video presumably could -- there's also the issue that Writers' Guild of America members would hopefully have written it better.

Apple usually does these event videos well -- during COVID, Apple transitioned spectacularly from live events to prerecorded videos. Forget the devices being launched, the events as shows were immediately remarkable.

You expect professional, you expect style, but we've all seen enough corporate and technology videos to know they can be disastrous instead. So Apple should be applauded for so flawlessly and instantly becoming a producer of feature-length adverts.

Apple events are marketing, but this was bad marketing

That is what these events are, of course, they're advertisements for a rapt public. Apple is very good at selling and it knows that there are many ways to do it, but the firm is still always selling.

Even the opening film this time was about sales. It showed people whose lives had been saved because of Apple devices and it was excellent.

You cannot conceive of Samsung doing this, this way. Not one of the people showed gave a direct plug to Apple or the device in question, other than wearing them or using them.

That made the film be about the people and Apple knows that when you've done a video well, it lifts up everything around it.

But then there was the Mother Nature sketch. In theory, it sounds fine. Instead, it was a bomb.

Octavia Spencer as "Mother Nature"

Octavia Spencer plays a personified Mother Nature who comes to Apple. Everyone is scared of her, but they manage to convince her that Apple is doing remarkably well environmentally.

For five minutes, we had the same thing over and over. It might be about materials one moment and packaging the next, but it was a single gag stretched out too far.

It was stretched so thin that you could see the thinking behind it. Every single element was good by itself, and no one would cut anything.

But the result is that every single element was undermined by the repetition. And instead of Apple showing it was better than just sell-sell-sell videos, the result was that the sketch felt like padding in an event that's like drinking tech data from a fire hose.

It was unnecessary padding, too, as Apple did not have to hit a certain running time.

To be clear, if it had worked, had it been written better, it would have a stand-out section of the presentation. But it didn't, so it felt like padding in a strange place in the event, and it dragged down the whole show.

In writing, you have to kill your darlings. You have to cut scenes and paragraphs, sometimes entire sections of a piece, to make the whole better.

And that's even if you've got Tim Cook and Lisa Jackson in a room for a morning.

That said, Jackson and Cook turn out to be... adequate... at acting. Cook can't really match Octavia Spencer in their face-off at the end, but few could, and he conveyed worry well.

He did also have to mutter lines that he was "practicing" to say to Mother Nature, but a similar gag was done this week on "Only Murders in the Building." If Martin Short and Steve Martin pulled it off more naturally, they do have a lot more experience.

And better writers.

Read on AppleInsider

Users curious about what's coming with iOS 17 and macOS Sonoma can get a long list of features directly from Apple in PDF form.

macOS Sonoma

Apple is set to release iOS 17 on September 18 and macOS Sonoma on September 26. After a summer filled with betas, the operating systems are finally ready for the public.

After the Wonderlust event on Tuesday, Apple released two new documents that list nearly every new feature coming to the new updates. Get the macOS Sonoma PDF or the iOS 17 PDF.

New features for iOS 17 include interactive widgets, StandBy mode, and new social upgrades like NameDrop and Contact Posters. macOS Sonoma gets access to iPhone widgets on the desktop, a new screensaver experience, and Game Mode.

Many features are shared across the ecosystem and aren't limited to iOS or macOS. These include Safari Profiles, video conferencing gestures, and locked private browsing mode.

Apple will release iOS 17, iPadOS 17, watchOS 10, and tvOS 17 on September 18. macOS Sonoma arrives on September 26.

Read on AppleInsider