A widespread, ongoing campaign is targeting macOS users by impersonating well-known brands to deliver information-stealing malware. These threat actors create fraudulent GitHub repositories that claim to offer legitimate software from various companies. To ensure these fake pages are easily found, the attackers rely on search engine optimization (SEO) techniques, causing their malicious links to appear at the top of search results and increasing the likelihood of a successful attack. Once a user clicks on the link, they are redirected to a site that delivers malware designed to steal sensitive data. This deceptive approach leverages the trust users have in both established brands and popular platforms like GitHub.
LastPass recently fell victim to this campaign, with attackers creating two GitHub sites impersonating the password management company. The fake repositories, posted by a user with a suspicious name, contained links that promised to install “LastPass on MacBook.” However, these links actually redirected users to a malicious page that instructed them to copy and paste a command into a terminal window. This command was a CURL request that downloaded a malicious payload to the computer’s temporary directory. This method highlights the attacker’s use of social engineering to convince users to take actions that compromise their own security.
The payload delivered in this attack was the Atomic macOS Stealer (AMOS), a notorious information stealer that has been active since 2023. AMOS is capable of stealing a wide range of sensitive data from an infected computer. LastPass researchers have also observed these same threat actors impersonating a variety of other businesses, including financial institutions, other password managers, technology companies, and even cryptocurrency wallets. The attackers are versatile, adapting their targets to maximize their potential for success and profit.
To avoid detection and maintain the longevity of their campaign, the threat actors use multiple GitHub usernames to create their fake pages. These pages often follow a similar naming pattern that combines the targeted company’s name with Mac-related terminology, making them seem more legitimate to unsuspecting users. This pattern has been observed in attacks dating back to at least July, when another security researcher warned about a similar campaign targeting Homebrew users. These attacks, which delivered malicious payloads in the background while installing the official application, show a clear strategy of exploiting user trust in both Google Ads and GitHub to hide their malicious activity.
This ongoing campaign underscores the importance of exercising caution when downloading software, even from seemingly trustworthy sources. The attackers are not only impersonating brands but also using search engine optimization to boost their malicious links. Users should be vigilant, carefully scrutinizing URLs and sources before downloading any software or executing commands. Sticking to official app stores or a company’s verified website for downloads is the best way to avoid falling victim to these types of sophisticated and widespread attacks.
Reference:
