CrowdStrike stories COOKIE SPIDER utilizing malvertising to unfold SHAMOS macOS malware (a brand new variant of AMOS infostealer), stealing credentials, crypto wallets, and focusing on 300+ environments.
Between June and August this yr, macOS customers on the lookout for options to routine technical points have been focused by a marketing campaign run by the cybercrime group COOKIE SPIDER. The attackers bought adverts that appeared as official assist websites, however as an alternative of providing actual fixes, these websites instructed guests to run a one-line command in Terminal. That command delivered SHAMOS, a brand new variant of the AMOS infostealer, onto their techniques.
To your data, one-line set up command is a way that cybercriminals more and more want as a result of it bypasses macOS Gatekeeper safety checks, permitting the malware to put in with out triggering warnings. Earlier malware assaults on macOS units, particularly the one carried out by Cuckoo Stealer and earlier AMOS variants, used the identical strategy.
In accordance with cybersecurity researchers at CrowdStrike, who recognized the COOKIE SPIDER’s malvertising marketing campaign, it was a large-scale one which focused greater than 300 buyer environments with victims within the US, UK, Japan, Canada, Italy, Mexico, China, and Colombia.
The success of the marketing campaign depended closely on preserving it easy. For instance, a person trying to find a standard macOS repair, akin to “macOS flush resolver cache”, was led to a promoted web site, mac-safercom, that regarded official. The pages offered directions that appeared useful, however have been designed to persuade guests to repeat and run a malicious command.
Among the many directions was a command for customers to stick into Terminal, which downloaded a Bash script. The script captured the person’s password after which retrieved the SHAMOS payload from a distant server.
CrowdStrike’s weblog submit notes that when SHAMOS is working on an contaminated machine, it checks techniques for delicate data like Keychain knowledge to Apple Notes, browser credentials, and even cryptocurrency wallets.
The malware then saves the whole lot in a ZIP archive for exfiltration. It will possibly additionally obtain further payloads, together with a faux Ledger Dwell pockets app and a botnet module, making it a good greater cybersecurity menace than it already is.
Spreading SHAMOS
The strategy of distributing SHAMOS was as essential because the malware itself. Utilizing malvertising gave them a gradual movement of unsuspecting victims. In some instances, the adverts seemed to be linked to official companies, akin to an Australia-based electronics retailer, suggesting that the criminals have been spoofing enterprise identities to realize credibility.
This tactic allowed faux assist domains like mac-safercom and rescue-maccom to look reliable sufficient for customers to observe their directions. CrowdStrike additionally noticed proof of the malware inserting a malicious property listing (plist) file within the person’s LaunchDaemons listing. It additionally used repeated curl instructions that instructed botnet exercise.
Not Simply Malvertising
Apart from malvertising, researchers famous that the malware additionally exploited GitHub for publicity, together with faux repositories posing as official software program tasks to trick customers into executing malicious instructions. One instance concerned a faux iTerm2 repository with practically similar directions for downloading SHAMOS.
“This marketing campaign is intelligent. Menace actors are focusing on less-technical customers, profiled by searches for assist with fundamental points, and supply them step-by-step steerage on set up their malware,” famous Trey Ford, Chief Technique and Belief Officer at Bugcrowd, a San Francisco, Calif.-based crowdsourced cybersecurity platform.
“This type of assault might be efficient in opposition to the SMB and residential person section. I might anticipate that enterprises, the sort that use CrowdStrike choices, would have malicious installations like this blocked by their privileged account administration (PAM) software program,” he mentioned.
This marketing campaign reveals macOS units will not be secure from malware assaults. Subsequently, use search engines like google and yahoo however click on on their outcomes at your personal danger. Essentially the most dependable option to examine if a hyperlink is malicious is to make use of a trusted antivirus browser extension that scans URLs earlier than you open them, or to scan the location with VirusTotal earlier than visiting.
