Security researchers at LastPass have identified a new brand impersonation campaign in which threat actors are attempting to infect macOS devices with an infostealer.
The attackers are distributing the malware using fraudulent GitHub repositories that claim to provide various macOS software, including 1Password, Dropbox, Gemini, Hootsuite, Salesloft, SentinelOne, Shopify, and more. Once they click on the link to download an allegedly legitimate macOS tool, the victim is redirected to a malware download.
“In the case of LastPass, the fraudulent repositories redirected potential victims to a repository that downloads the Atomic infostealer malware,” said researchers Alex Cox, Mike Kosak, and Stephanie Schneider from the LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team.
The Atomic infostealer, also known as AMOS, is a malware-as-a-service operation that gives attackers persistent, stealthy access to any data stored on infected machines.
Beyond their own company, LastPass has observed the threat actors impersonating over 100 other brands, including technology companies, financial institutions, cryptocurrency wallets, and other businesses providing software for macOS.
The threat actors are also using Search Engine Optimization (SEO) tactics to boost the rankings of their malicious repositories in Bing and Google search pages, enabling them to reach more potential victims.
The two fraudulent sites impersonating LastPass have now been taken down, and LastPass’ TIME team is continuing to monitor the campaign.
What To Look Out For
In this campaign, the threat actors are exploiting users’ trust in GitHub, Google Ads, and recognized macOS software providers. Although the LastPass team are continuing to report fake repositories to GitHub, it’s relatively easy for attackers to create new ones under new accounts.
To avoid falling for one of these attacks, users should check the website of an official vendor to make sure they offer a version compatible with macOS. If not listed there, it’s likely that any unofficial variants are fraudulent and potentially malicious. For installing macOS ports, users should make sure they come from a reputable provider that has been vetted and reviewed by the community.
Finally, avoid running commands on your system that you don’t fully understand. If in doubt, speak to another member of your team who might be able to direct you to a legitimate source for the download you need.
Read More
