AmosStealer, also called 'Atomic,' is a sophisticated infostealer targeting macOS systems, sold to cybercriminals for $1,000 per month, designed to steal credentials and sensitive data.
Hackers have once again taken advantage of Google ads to spread malware, this time by using a fake Homebrew website to infect Mac and Linux users with an infostealer that targets sensitive data, such as credentials, browser details, and cryptocurrency wallets. The malicious campaign was uncovered by security researcher Ryan Chenkie, who warned users about the risk of malware infection through compromised ads.
The malware, identified as AmosStealer (also known as 'Atomic'), is a powerful infostealer designed for macOS systems. It is sold to cybercriminals on a subscription basis for $1,000 per month. AmosStealer has recently gained traction among cybercriminals targeting Apple users and has been seen in other malvertising campaigns, including those promoting fake Google Meet pages.
Also Read: Google ads push ‘virtualized’ malware, unreadable for antivirus solutions
The attack explained
Homebrew, a popular open-source package manager for macOS and Linux, is widely trusted by users to manage software installations. In the latest attack, a deceptive Google ad appeared to link to the legitimate Homebrew website, “brew.sh.” However, the ad redirected users to a fake website hosted at “brewe.sh,” a URL designed to closely resemble the real site.
Upon visiting the fraudulent website, users were prompted to run a command in their terminal or shell to install Homebrew. While the legitimate Homebrew site uses a similar command for software installation, the command from the fake site triggered the download of AmosStealer malware instead. The malware targets over 50 cryptocurrency extensions, desktop wallets, and data stored in web browsers.
Security researcher JAMESWT confirmed the presence of the malware on VirusTotal, further verifying the extent of the attack.
Persistent threat of malvertisements
While the malicious ad has been removed, the threat persists as attackers may continue using other redirection domains. Mike McQuaid, the project leader for Homebrew, criticized Google for its continued failure to prevent such scams. In a tweet, McQuaid noted that this issue has occurred repeatedly and urged Google to take stronger action against scammers.
To protect against similar attacks, users are advised to verify the legitimacy of any website before entering sensitive information or downloading software. A safer approach is to bookmark official project websites and avoid clicking on sponsored ads in search results.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
