The Fake Download That Steals Everything: How Deceptive Installers Are Targeting macOS Users
Threat actors are increasingly targeting macOS environments with infostealers delivered via deceptive .dmg disk images. These attacks rely on social engineering tactics, such as custom background images and misleading filenames, to trick users into bypassing Apple's Gatekeeper protections. This enables rapid 'smash-and-grab' data theft without the need for the malware to establish persistence on the host.
- domainaricl[.]netFake Arc browser download site used to distribute deceptive macOS installers (identified via article images).
- filenameChromeSetup.scptMalicious AppleScript masquerading as a Google Chrome installer to execute infostealer payloads.
- filenameDragintoTerminal.msiDeceptive filename used within a mounted DMG to trick users into executing the payload via the macOS Terminal.
Detection / HunterGoogle
What Happened
Cybercriminals are tricking Mac users into downloading fake software installers that steal passwords, cookies, and crypto wallets. Instead of hacking the system, these fake installers use clever images and instructions to convince users to bypass Apple's built-in security warnings. Because the theft happens instantly, the attackers don't even need to leave a permanent virus on the computer. Users should be extremely careful when downloading software, especially from search engines or piracy sites, and organizations should monitor for suspicious disk image activity.
Key Takeaways
- macOS infostealers are predominantly delivered via deceptive .dmg disk images using social engineering to bypass Gatekeeper.
- Attackers use custom background images or misleading filenames (e.g., 'Drag to Terminal') to trick users into executing the payload.
- These infostealers operate as rapid 'smash-and-grab' attacks, stealing credentials and crypto wallets without attempting to establish persistence.
- Huntress detects these threats by shifting left: monitoring the macOS Endpoint Security (ES) API for virtual mount events and analyzing the disk image contents before execution.
- Detection logic includes checking for hidden '.background' directories, using OCR on background images, and fuzzy matching suspicious filenames.
Affected Systems
- macOS
Attack Chain
The attack begins with SEO poisoning or compromised links leading the victim to download a deceptive .dmg file. Upon mounting the disk image, the user is presented with a social engineering lure—often a custom background image or misleading filename—instructing them to bypass Gatekeeper (e.g., right-click and open, or drag to terminal). Once executed, the infostealer rapidly harvests credentials, cookies, and crypto wallets, exfiltrating the data to a C2 server without attempting to establish persistence.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide explicit detection rules, but outlines a conceptual detection methodology using the macOS Endpoint Security API to monitor virtual mount events and inspect DMG contents.
Detection Engineering Assessment
EDR Visibility: Medium — Requires EDR sensors capable of hooking into the macOS Endpoint Security (ES) API to monitor 'mount' events specifically for virtual devices, which not all platforms support out-of-the-box. Network Visibility: Low — Infostealer C2 traffic is typically encrypted and utilizes rapidly changing infrastructure, making network-based detection difficult without SSL inspection. Detection Difficulty: Moderate — Detecting the threat before execution requires 'shifting left' to analyze mounted volumes for hidden directories and suspicious filenames, rather than relying solely on process execution telemetry.
Required Log Sources
- macOS Endpoint Security API (es_event_mount_t)
- File System Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| If you have visibility into macOS ES API events, consider hunting for 'mount' events where 'es_mount_disposition_t' is 'VIRTUAL', followed by the presence of a hidden '.background' directory. | macOS Endpoint Security API | Execution | Medium |
| Consider hunting for the execution of AppleScript files (.scpt) originating from newly mounted volumes in the /Volumes/ directory. | Process Creation, File System Logs | Execution | Low |
| Search file system telemetry for files created in /Volumes/ with highly suspicious names like 'Drag into Terminal' or 'Open Gatekeeper friendly'. | File System Logs | Defense Evasion | Low |
Control Gaps
- Traditional AV/EDR tools that only scan upon process execution may miss the initial social engineering phase, allowing the rapid 'smash-and-grab' data theft to complete before the malicious process can be terminated.
Key Behavioral Indicators
- es_mount_disposition_t = VIRTUAL
- Presence of a .background folder in a mounted DMG
- AppleScript (.scpt) files masquerading as legitimate application installers
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- If a deceptive installer is flagged, consider immediately unmounting the suspicious disk image and halting any associated running processes.
- Evaluate whether affected users need immediate credential resets and session token revocations if execution is suspected.
Infrastructure Hardening
- Evaluate whether MDM policies can restrict the mounting of untrusted .dmg files or enforce strict Gatekeeper compliance without allowing user overrides.
- Consider implementing DNS filtering to block known SEO poisoned domains and cracked software distribution sites.
User Protection
- If supported by your endpoint management tools, consider restricting access to the Terminal application for non-developer users to prevent 'Drag to Terminal' bypasses.
Security Awareness
- Consider training users to recognize deceptive Gatekeeper bypass instructions (e.g., 'Right click -> Open', 'Drag to Terminal') as explicit red flags.
- Emphasize the risks of downloading software from unofficial sources, torrents, or search engine advertisements.
MITRE ATT&CK Mapping
- T1204.002 - User Execution: Malicious File
- T1553.001 - Subvert Trust Controls: Gatekeeper Bypass
- T1566.002 - Phishing: Spearphishing Link
- T1003 - OS Credential Dumping
Additional IOCs
- File Paths:
/Volumes/*/.background/- Hidden directory commonly used in malicious DMGs to store social engineering background images.
