- Hackers seen running malvertising campaign promoting a fake Homebrew package
- Victims were targeted with AMOS, a powerful infostealer
- Campaign has since been taken down, but users should still be on guard
Mac users are once again being targeted with powerful malware as hackers try to steal their login information, sensitive data, and cryptocurrencies.
Software developer Ryan Chenkie spotted the malicious campaign on Google, noting threat actors have been running malicious advertising campaigns on Google’s network promoting a fake version of Homebrew, an open source package manager for macOS and Linux.
“Developers, please be careful when installing Homebrew,” he said. “Google is serving sponsored links to a Homebrew site clone that has a cURL command to malware. The URL for this site is one letter different than the official site.”
Grabbing AMOS
The ad being served on Google shows the right Homebrew URL - brew.sh. However, once a victim clicks, they get redirected to brewe.sh, a site with an extra “e” letter at the end. It’s a common typosquatting technique often seen not just in malvertising, but in other forms of cyberattacks, as well.
Victims who don’t spot the trick are prompted to install Homebrew, by pasting a command shown in the macOS Terminal, or a Linux shell prompt, not unlike what the legitimate Homebrew site does.
But instead of getting the actual software, victims will be served AMOS, a popular infostealer that grabs people’s passwords, browser data, cryptocurrency information, and more. Security researchers have been warning about AMOS (AKA Atomic) for months now, saying the tool is being offered in a subscription model for $1,000 a month.
Soon after Chenkie posted his warning, Homebrew’s Project Leader, Mike McQuaid, replied, saying the campaign has already been taken down, but also voiced his concerns about repeating offenses: “This seems taken down now. There's little we can do about this really, it keeps happening again and again and Google seems to like taking money from scammers,” he said. “Please signal-boost this and hopefully someone at Google will fix this for good.”
Via BleepingComputer
You might also like
- Windows admins targeted with clever malvertising scam
- Here's a list of the best antivirus tools on offer
- These are the best endpoint protection tools right now
