Atomic Stealer: How This Potent Mac Malware Infects Your System
▼ Summary
– Search engine ads are impersonating legitimate online services to distribute malware targeting Mac users, with LastPass being the latest reported victim.
– These fraudulent ads appeared at the top of search results on platforms like Google and Bing and directed users to fake GitHub pages.
– The malicious links claimed to install the LastPass macOS application but instead installed a credential stealer known as Atomic Stealer (or Amos Stealer).
– LastPass issued a warning about this campaign and is actively working on takedown efforts while sharing indicators of compromise.
– The campaign impersonates many other well-known brands, including 1Password, Dropbox, and Shopify, using similar deceptive ad tactics.
A sophisticated malware campaign is using fraudulent search engine ads to impersonate popular software and target Mac users with a dangerous information-stealing program. Security researchers have identified a widespread threat where malicious advertisements, appearing at the top of search results on platforms like Google and Bing, are designed to trick individuals into downloading a potent credential harvester known as Atomic Stealer. This malware, also referred to as Amos Stealer, poses a significant risk to personal data and system security.
The password management service LastPass recently confirmed it was a prime target in this scheme. The company detected a coordinated effort where attackers used search engine optimization techniques to place deceptive ads for LastPass macOS applications. These ads directed unsuspecting users to counterfeit GitHub pages that have since been removed. Instead of installing the legitimate password manager, the provided links deployed Atomic Stealer onto the victim’s MacBook, compromising sensitive information.
LastPass issued a statement explaining its motivation for going public with the threat. The company aims to raise customer awareness and support broader security efforts by sharing critical indicators of compromise. This information helps other security teams identify and neutralize similar cyber threats more effectively.
The scope of this malicious advertising campaign extends far beyond a single brand. The list of impersonated software and services is extensive, including high-profile names like 1Password, Basecamp, Dropbox, and Gemini. Other targets are Hootsuite, Notion, Obsidian, Robinhood, Salesloft, SentinelOne, Shopify, Thunderbird, and TweetDeck. The fraudulent ads typically display the software name in prominent, attention-grabbing fonts. A click leads not to an official download, but to a GitHub repository hosting a malicious version of Atomic Stealer cleverly disguised as the authentic application the user sought.
(Source: Ars Technica)
