Mac Users Beware: Malvertising Campaign Spreads Atomic Stealer macOS Malware

Cyber Security Threat Summary:
A new malvertising campaign has been observed distributing an updated version of a macOS stealer malware called Atomic Stealer (or AMOS), indicating that it's being actively maintained by its author. An off-the-shelf Golang malware available for $1,000 per month, Atomic Stealer first came to light in April 2023. Shortly after that, new variants with an expanded set of information-gathering features were detected in the wild, targeting gamers and cryptocurrency users. Malvertising via Google Ads has been observed as the primary distribution vector in which users searching for popular software, legitimate or cracked, on search engines are shown bogus ads that direct to websites hosting rogue installers. The latest campaign involves the use of a fraudulent website for TradingView, prominently featuring three buttons to download the software for Windows, macOS, and Linux operating systems” (The Hacker News, 2023).

Security Officer Comments:
According to Malwarebytes researchers, they observed the Atomic Stealer payload being bundled in an ad-hoc signed app to prevent it from being revoked by Apple. Once executed, the payload will prompt the user for the system password in a never-ending loop, until the victim gives in and enters their credentials. From here, the stealer malware will begin to exfiltrate data from the victim’s system, including passwords and cookies, as well as auto-fill information stored in browsers which is sent back to an actor-controlled server.

It seems that the latest campaign is also targeting Windows and Linux users, with researchers noting that the Windows and Linux download buttons on the fake TradingView website point to an MSIX installer hosted on Discord, designed to drop NetSupport RAT which would allow threat actors to gain remote access to victim’s systems.

Suggested Correction(s):
In general, users should avoid clicking on sponsored ads that appear at the top of Google search results as threat actors can easily purchase these ads to promote sites hosting malicious payloads. When downloading software online, users should also ensure that it comes from a reputable source and not from third-party sites, as this can typically lead to malware infections. Software should also be scanned by anti-virus solutions for malicious executables prior to installation.