09-14-2023, 04:23 AM
AppleInsider - Malicious Google ads deceive Mac users into installing Atomic Stealer
<div style="margin: 5px 5% 10px 5%;"><img src="https://www.sickgaming.net/blog/wp-content/uploads/2023/09/malicious-google-ads-deceive-mac-users-into-installing-atomic-stealer-malware.jpg" width="1312" height="738" title="" alt="" /></div><div><div class="col-sm-12" id="article-hero" aria-labelledby="hero-cap" role="figure">
<p id="hero-cap" class="hero-caption" title="Google search can turn up malicious ads">Google search can turn up malicious ads</p>
<p> <a href="https://www.sickgaming.net/blog/wp-content/uploads/2023/09/malicious-google-ads-deceive-mac-users-into-installing-atomic-stealer-malware.jpg"> <img decoding="async" src="https://www.sickgaming.net/blog/wp-content/uploads/2023/09/malicious-google-ads-deceive-mac-users-into-installing-atomic-stealer-malware.jpg" alt> </a> </div>
<p class="col-sm-12 article-lead">A macOS malware discovered in April has found a new vector of attack, with people searching for software on Google finding malware presented as legitimate ads.
</p>
<div class="col-sm-12">
<p>The malware payload known as Atomic macOS Stealer (AMOS) first appeared <a href="https://appleinsider.com/articles/23/04/28/new-malware-targeting-macos-users-is-being-sold-on-telegram"> in April</a> being sold on Telegram for $1,000 per month. Once installed, it collects the user’s system password via aggressive pop-ups and then siphons off sensitive data like passwords, crypto, and files.
</p>
</div>
<div class="col-sm-12">
<p>According to <a href="https://www.malwarebytes.com/blog/threat-intelligence/2023/09/atomic-macos-stealer-delivered-via-malvertising">a report</a> from researchers at Malwarebytes, AMOS is being delivered via a Google ad scheme to unsuspecting searchers. The ads are legitimate and paid for but disguise themselves as the website or software the user is searching for.
</p>
</div>
<div class="col-sm-12">
<p>This attack relies on users’ trust in Google when clicking on ad search results. It appears at the top of the page and has Google’s ad stamp of approval, so users click through without inspecting for suspicious URLs or domain owners.
</p>
</div>
<div class="col-sm-12">
<p>Once the user clicks the link, they are presented with a normal-looking page. The attackers create a near-perfect clone of the website users expect, so they click through and download the software.
</p>
</div>
<div class="col-sm-12">
<p>AMOS doesn’t need to go through the normal installation process through Gatekeeper since it is an ad-hoc signed app. Users are directed to right-click and open the software from the mounted .dmg file.
</p>
</div>
<div class="col-sm-12">
<p>After the file is opened, a fake prompt for the system password keeps popping up until the user relents and enters their password. It then harvests what data it can from the user’s Keychain, file system, and crypto wallets and sends it to the malware operator.
</p>
</div>
<div class="col-sm-12">
<div class="align-center"><a href="https://www.sickgaming.net/blog/wp-content/uploads/2023/09/malicious-google-ads-deceive-mac-users-into-installing-atomic-stealer-malware-1.jpg" target="_blank" rel="noopener"><img decoding="async" src="https://www.sickgaming.net/blog/wp-content/uploads/2023/09/malicious-google-ads-deceive-mac-users-into-installing-atomic-stealer-malware-1.jpg" alt="A disguised malware delivery page. Source: Malwarebytes" height="738" loading="lazy" class="img-responsive article-image"></a>
</div>
<p><span class="carousel-caption">A disguised malware delivery page. Source: Malwarebytes</span></p>
</div>
<p><h2 data-anchor="how-to-protect-yourself-from-amos" id="how-to-protect-yourself-from-amos">How to protect yourself from AMOS</h2>
</p>
<div class="col-sm-12">
<p>Google isn’t a foolproof tool. It delivers information based on the user’s account data and keywords, and malicious ads aren’t always going to get caught on review.
</p>
</div>
<div class="col-sm-12">
<p>The number one security rule of the internet is paying attention to the URL. In the example given by Malwarebytes, the URL is trabingviews.com.
</p>
</div>
<div class="col-sm-12">
<p>Users should exercise caution whenever they choose to download software from the web. The Mac <a href="https://appleinsider.com/inside/app-store" title="App Store" data-kpt="1">App Store</a> is the safest route for <a href="https://appleinsider.com/inside/mac" title="Mac" data-kpt="1">Mac</a> users, but that won’t always be an option.
</p>
</div>
<div class="col-sm-12">
<p>Pay attention to Google’s results, the URL you’re directed to, and the software installer itself. Be wary of how the software asks to be installed. Most software shouldn’t ask the user to bypass Gatekeeper.
</p>
</div>
<div class="col-sm-12">
<p>A potential red-flag is software that demands the user open the app in place, on the installer image. As a general rule, it should ask the user to drag the installed app to the Finder.
</p>
</div>
<div class="col-sm-12">
<p>Also, be wary of random requests for the system password, especially right after installing new software. Inspect the dialog for design irregularities or typos.</p>
</div>
</div>
https://www.sickgaming.net/blog/2023/09/...r-malware/
<div style="margin: 5px 5% 10px 5%;"><img src="https://www.sickgaming.net/blog/wp-content/uploads/2023/09/malicious-google-ads-deceive-mac-users-into-installing-atomic-stealer-malware.jpg" width="1312" height="738" title="" alt="" /></div><div><div class="col-sm-12" id="article-hero" aria-labelledby="hero-cap" role="figure">
<p id="hero-cap" class="hero-caption" title="Google search can turn up malicious ads">Google search can turn up malicious ads</p>
<p> <a href="https://www.sickgaming.net/blog/wp-content/uploads/2023/09/malicious-google-ads-deceive-mac-users-into-installing-atomic-stealer-malware.jpg"> <img decoding="async" src="https://www.sickgaming.net/blog/wp-content/uploads/2023/09/malicious-google-ads-deceive-mac-users-into-installing-atomic-stealer-malware.jpg" alt> </a> </div>
<p class="col-sm-12 article-lead">A macOS malware discovered in April has found a new vector of attack, with people searching for software on Google finding malware presented as legitimate ads.
</p>
<div class="col-sm-12">
<p>The malware payload known as Atomic macOS Stealer (AMOS) first appeared <a href="https://appleinsider.com/articles/23/04/28/new-malware-targeting-macos-users-is-being-sold-on-telegram"> in April</a> being sold on Telegram for $1,000 per month. Once installed, it collects the user’s system password via aggressive pop-ups and then siphons off sensitive data like passwords, crypto, and files.
</p>
</div>
<div class="col-sm-12">
<p>According to <a href="https://www.malwarebytes.com/blog/threat-intelligence/2023/09/atomic-macos-stealer-delivered-via-malvertising">a report</a> from researchers at Malwarebytes, AMOS is being delivered via a Google ad scheme to unsuspecting searchers. The ads are legitimate and paid for but disguise themselves as the website or software the user is searching for.
</p>
</div>
<div class="col-sm-12">
<p>This attack relies on users’ trust in Google when clicking on ad search results. It appears at the top of the page and has Google’s ad stamp of approval, so users click through without inspecting for suspicious URLs or domain owners.
</p>
</div>
<div class="col-sm-12">
<p>Once the user clicks the link, they are presented with a normal-looking page. The attackers create a near-perfect clone of the website users expect, so they click through and download the software.
</p>
</div>
<div class="col-sm-12">
<p>AMOS doesn’t need to go through the normal installation process through Gatekeeper since it is an ad-hoc signed app. Users are directed to right-click and open the software from the mounted .dmg file.
</p>
</div>
<div class="col-sm-12">
<p>After the file is opened, a fake prompt for the system password keeps popping up until the user relents and enters their password. It then harvests what data it can from the user’s Keychain, file system, and crypto wallets and sends it to the malware operator.
</p>
</div>
<div class="col-sm-12">
<div class="align-center"><a href="https://www.sickgaming.net/blog/wp-content/uploads/2023/09/malicious-google-ads-deceive-mac-users-into-installing-atomic-stealer-malware-1.jpg" target="_blank" rel="noopener"><img decoding="async" src="https://www.sickgaming.net/blog/wp-content/uploads/2023/09/malicious-google-ads-deceive-mac-users-into-installing-atomic-stealer-malware-1.jpg" alt="A disguised malware delivery page. Source: Malwarebytes" height="738" loading="lazy" class="img-responsive article-image"></a>
</div>
<p><span class="carousel-caption">A disguised malware delivery page. Source: Malwarebytes</span></p>
</div>
<p><h2 data-anchor="how-to-protect-yourself-from-amos" id="how-to-protect-yourself-from-amos">How to protect yourself from AMOS</h2>
</p>
<div class="col-sm-12">
<p>Google isn’t a foolproof tool. It delivers information based on the user’s account data and keywords, and malicious ads aren’t always going to get caught on review.
</p>
</div>
<div class="col-sm-12">
<p>The number one security rule of the internet is paying attention to the URL. In the example given by Malwarebytes, the URL is trabingviews.com.
</p>
</div>
<div class="col-sm-12">
<p>Users should exercise caution whenever they choose to download software from the web. The Mac <a href="https://appleinsider.com/inside/app-store" title="App Store" data-kpt="1">App Store</a> is the safest route for <a href="https://appleinsider.com/inside/mac" title="Mac" data-kpt="1">Mac</a> users, but that won’t always be an option.
</p>
</div>
<div class="col-sm-12">
<p>Pay attention to Google’s results, the URL you’re directed to, and the software installer itself. Be wary of how the software asks to be installed. Most software shouldn’t ask the user to bypass Gatekeeper.
</p>
</div>
<div class="col-sm-12">
<p>A potential red-flag is software that demands the user open the app in place, on the installer image. As a general rule, it should ask the user to drag the installed app to the Finder.
</p>
</div>
<div class="col-sm-12">
<p>Also, be wary of random requests for the system password, especially right after installing new software. Inspect the dialog for design irregularities or typos.</p>
</div>
</div>
https://www.sickgaming.net/blog/2023/09/...r-malware/