Competitors between stealers for macOS is heating up, with a brand new malvertising marketing campaign luring Mac customers through a fraudulent advert for Microsoft Groups. This assault comes on the heels of the brand new Poseidon (OSX.RodStealer) challenge, one other menace utilizing an identical code base and supply methods.
Primarily based on our monitoring, Microsoft Groups is as soon as once more a well-liked key phrase menace actors are bidding on, and it’s the first time we now have seen it utilized by Atomic Stealer. Communication instruments like Zoom, Webex or Slack have been traditionally coveted by criminals who bundle them as pretend installers laced with malware.
This newest malvertising marketing campaign was working for no less than a couple of days and used superior filtering methods that made it more durable to detect. As soon as we have been capable of reproduce a full malware supply chain, we instantly reported the advert to Google.
High search consequence for Microsoft Groups
We have been capable of reliably seek for and see the identical malicious advert for Microsoft Groups which was possible paid for by a compromised Google advert account. For a few days, we couldn’t see any malicious habits because the advert redirected straight to Microsoft’s web site. After quite a few makes an attempt and tweaks, we lastly noticed a full assault chain.
Regardless of displaying the microsoft.com URL within the advert’s show URL, it has nothing to do with Microsoft in any respect. The advertiser is situated in Hong Kong and runs near a thousand unrelated adverts.
Malicious redirect and payload
We confirmed the advert was certainly malicious by recording a community seize (see under). Every click on is first profiled (sensible[.]hyperlink) to make sure solely actual folks (not bots, VPNs) proceed, adopted by a cloaking area (voipfaqs[.]com) separating the preliminary redirect from the malicious touchdown (decoy) web page (teamsbusiness[.]org).
Victims land on a decoy web page displaying a button to obtain Groups. A request is made to a unique area (locallyhyped[.]com) the place a novel payload (file title and measurement) is generated for every customer.
As soon as the downloaded file MicrosoftTeams_v.(xx).dmg is mounted, customers are instructed to open it through a proper click on to be able to bypass Apple’s built-in safety mechanism for unsigned installers.
Within the video under, we present the steps required to put in this malicious utility, noting that you’re instructed to enter your password and grant entry to the file system. This may occasionally not come as uncommon for somebody wanting to put in a brand new program, however it’s precisely what Atomic Stealer must seize keychain passwords and essential recordsdata.
Following the info theft is the info exfiltration step, solely seen through a community packet assortment device. A single POST request is made to a distant internet server (147.45.43[.]136) with the info being encoded.
Mitigations
As cyber criminals ramp up their distribution campaigns, it turns into extra harmful to obtain functions through search engines like google and yahoo. Customers must navigate between malvertising (sponsored outcomes) and website positioning poisoning (compromised web sites).
To mitigate such dangers, we suggest utilizing browser safety instruments that may block adverts and malicious web sites. Typically instances, menace actors will depend on redirects from adverts or compromised networks that may be stopped earlier than even downloading a malicious installer.
Malwarebytes for Mac detects this menace as OSX.AtomStealer:
Indicators of Compromise
Cloaking area
voipfaqs[.]com
Decoy website
teamsbusiness[.]org
Obtain URL
locallyhyped[.]com/kurkum/script_66902619887998[.]92077775[.]php
Atomic Stealer payload
7120703c25575607c396391964814c0bd10811db47957750e11b97b9f3c36b5d
Atomic Stealer C2
147.45.43[.]136