A recent malvertising campaign has been identified targeting Mac users searching for Microsoft Teams, indicating a rise in competition among malware creators in the macOS ecosystem. This attack utilizing Atomic Stealer malware closely follows the Poseidon (OSX.RodStealer) project, showcasing the ever-evolving threats impacting macOS users.
The deceptive ad campaign, which lasted several days, utilized sophisticated filtering techniques to avoid detection. The malicious ad appeared as a top search result for Microsoft Teams and displayed a microsoft.com URL, but in reality, it redirected users through a series of misleading links.
It is believed that a compromised Google ad account was used to pay for the ad. Initially redirecting straight to Microsoft’s official website, the ad later evolved into a full attack chain. Researchers from Malwarebytes found that clicking the ad subjected users to a profiling process, ensuring actual individuals proceeded further. This strategy could potentially help the malicious site evade automated security tools and scans. A cloaking domain was then employed to separate the initial redirect from the malicious landing page, designed to mimic the official Microsoft Teams download site.
The ad itself proved to be malicious, with the display URL showing Microsoft.com but leading to a fake installation page. The advertiser, based in Hong Kong, operates over a thousand unrelated ads, and a unique payload for each visitor was generated from a domain named locallyhyped.com.
Upon opening the downloaded file, users were prompted to enter their password and grant access to the file system, enabling the malicious application to steal keychain passwords and critical files. The stolen data was then exfiltrated via a single POST request to a remote server controlled by the attacker.
In light of this sophisticated attack, researchers advise Mac users to exercise caution when downloading applications via search engines. Malvertising and SEO poisoning attacks can have severe consequences, emphasizing the need for browser protection tools that can block ads and malicious websites. It is also recommended to regularly update antivirus software and utilize reputable ad blockers to reduce the risk of malware infections.
This campaign highlights the increasing complexity of macOS malware, underscoring the interest shown by threat actors in compromising the macOS environment. Notably, researchers from Cyble Research and Intelligence Labs observed that the Atomic Stealer used in this malvertising campaign was being sold via Telegram for $1000 USD per month.
The evolving nature of malware threats targeting macOS users underscores the importance of staying vigilant and implementing robust cybersecurity measures to protect personal and sensitive data from malicious actors.