Cybersecurity researchers have once again unearthed a cunning scheme where threat actors are misusing Google ads to disseminate malware. This time, the attackers have created a counterfeit Homebrew website designed to infiltrate both Mac and Linux systems with an infostealer. This malware seeks to harvest credentials, browser information, and cryptocurrency wallets. The emergence of this malicious campaign was first highlighted by security expert Ryan Chenkie, who shared a warning on the social platform X about the potential threat. Dubbed AmosStealer, or 'Atomic,' this particular infostealer is engineered specifically for macOS and is offered to cybercriminals via a subscription service costing $1,000 per month. Recently, it has gained popularity in malvertising efforts that also featured fake Google Meet sites, indicating its widespread use among hackers targeting Apple devices.

Beware Fake Homebrew Sites

Homebrew serves as a widely-used open-source package manager for both macOS and Linux platforms, offering users straightforward command-line solutions for managing software. The attackers are capitalizing on its notoriety by placing fraudulent Google ads displaying the legitimate Homebrew URL, "brew.sh." However, unsuspecting users are redirected to a deceptive site at “brewe.sh.” Such URL manipulation is a common tactic in malvertising, tricking users into engaging with seemingly authentic sites. Once on these false pages, visitors are prompted to install Homebrew by inputting a command into their macOS Terminal or Linux shell. Instead of the genuine software, this command triggers the download and execution of malware. Security researcher JAMESWT verified that the malware involved in this incident is indeed the Amos stealer, known for targeting over 50 cryptocurrency extensions, as well as extracting data from desktop wallets and web browsers. Mike McQuaid, the leader of the Homebrew project, acknowledged awareness of this issue but noted the team's limited ability to counter such malicious activities. He criticized Google for the lack of stringent monitoring, stating, “There's little we can do about this really, it keeps happening again and again and Google seems to like taking money from scammers.” Despite the ad being taken down now, McQuaid emphasized the ongoing threat, as similar campaigns might emerge using different redirect domains.

Persistent Challenge of Malicious Ads

Regrettably, fraudulent advertisements remain a persistent problem in Google Search results. Attackers often hijack Google ad accounts to promote their malicious campaigns, posing as legitimate businesses. To safeguard against infections, users should exercise caution when clicking on links from Google, ensuring they land on an authentic site before entering sensitive details or downloading any software. Bookmarking official websites for frequent projects can serve as an additional layer of security, avoiding unnecessary risks from repetitive searches.

The link has been copied!