This year has seen an explosion of infostealers targeting the macOS platform. Throughout 2023, we have observed a number of new infostealer families including MacStealer, Pureland, Atomic Stealer and RealStealer (aka Realst). Over the last few months, we have also been tracking a family of macOS infostealers we call ‘MetaStealer’. Last week, Apple dropped a new signature for XProtect that detects some (but not all) variants of the MetaStealer family.
In this post, we describe how MetaStealer differs from other recent stealers, as well as indicate some intriguing overlaps with other malware. We highlight how threat actors are proactively targeting macOS businesses by posing as fake clients in order to socially engineer victims into launching malicious payloads, and we provide a comprehensive list of indicators to help threat hunters and security teams identify MetaStealer in their environments. All SentinelOne customers are automatically protected from macOS MetaStealer.