org. The attack chain starts when a user visits a compromised website.
TA2726’s TDS redirects them to a malicious domain controlled by TA2727. Depending on the user’s device and browser, they receive tailored fake update prompts. For Mac users, the malware appears as a legitimate Google Chrome or Safari update.
When the “Update” button is clicked, the malicious DMG file is downloaded, and the installation process prompts the user to bypass macOS Gatekeeper security. FrigidStealer then runs a Mach-O executable built with WailsIO, making the fake installer appear authentic.
The malware extracts sensitive data and exfiltrates it to its command-and-control server, completing the attack.
How to protect against FrigidStealer
To stay safe from fake update scams, always be wary of unexpected software update prompts, especially if they appear while browsing the web. Next, instead of clicking on pop-ups, go directly to the official website or open the app’s built-in update function to ensure you’re getting legitimate software.
Finally, keeping your security software up to date will help detect and block potential threats.