CrowdStrike stories COOKIE SPIDER utilizing malvertising to unfold SHAMOS macOS malware (a brand new variant of AMOS infostealer), stealing credentials, crypto wallets, and concentrating on 300+ environments.
Between June and August this 12 months, macOS customers searching for options to routine technical points had been focused by a marketing campaign run by the cybercrime group COOKIE SPIDER. The attackers bought adverts that appeared as respectable assist websites, however as a substitute of providing actual fixes, these websites instructed guests to run a one-line command in Terminal. That command delivered SHAMOS, a brand new variant of the AMOS infostealer, onto their techniques.
In your data, one-line set up command is a method that cybercriminals more and more choose as a result of it bypasses macOS Gatekeeper safety checks, permitting the malware to put in with out triggering warnings. Earlier malware assaults on macOS units, particularly the one carried out via Cuckoo Stealer and earlier AMOS variants, used the identical strategy.
In accordance with cybersecurity researchers at CrowdStrike, who recognized the COOKIE SPIDER’s malvertising marketing campaign, it was a large-scale one which focused greater than 300 buyer environments with victims within the US, UK, Japan, Canada, Italy, Mexico, China, and Colombia.
The success of the marketing campaign depended closely on holding it easy. For instance, a person trying to find a standard macOS repair, reminiscent of “macOS flush resolver cache”, was led to a promoted web site, mac-safercom, that seemed respectable. The pages offered directions that appeared useful, however had been designed to persuade guests to repeat and run a malicious command.
Among the many directions was a command for customers to stick into Terminal, which downloaded a Bash script. The script captured the person’s password after which retrieved the SHAMOS payload from a distant server.
CrowdStrike’s weblog put up notes that after SHAMOS is operating on an contaminated system, it checks techniques for delicate data like Keychain knowledge to Apple Notes, browser credentials, and even cryptocurrency wallets.
The malware then saves every part in a ZIP archive for exfiltration. It might probably additionally obtain further payloads, together with a faux Ledger Reside pockets app and a botnet module, making it a fair larger cybersecurity risk than it already is.
Spreading SHAMOS
The strategy of distributing SHAMOS was as essential because the malware itself. Utilizing malvertising gave them a gradual circulation of unsuspecting victims. In some circumstances, the adverts seemed to be linked to respectable companies, reminiscent of an Australia-based electronics retailer, suggesting that the criminals had been spoofing enterprise identities to realize credibility.
This tactic allowed faux assist domains like mac-safercom and rescue-maccom to seem reliable sufficient for customers to observe their directions. CrowdStrike additionally noticed proof of the malware inserting a malicious property checklist (plist) file within the person’s LaunchDaemons listing. It additionally used repeated curl instructions that urged botnet exercise.
Not Simply Malvertising
Aside from malvertising, researchers famous that the malware additionally exploited GitHub for publicity, together with faux repositories posing as respectable software program initiatives to trick customers into executing malicious instructions. One instance concerned a faux iTerm2 repository with almost equivalent directions for downloading SHAMOS.
“This marketing campaign is intelligent. Menace actors are concentrating on less-technical customers, profiled via searches for assist with primary points, and supply them step-by-step steerage on find out how to set up their malware,” famous Trey Ford, Chief Technique and Belief Officer at Bugcrowd, a San Francisco, Calif.-based crowdsourced cybersecurity platform.
“This type of assault might be efficient towards the SMB and residential person section. I’d anticipate that enterprises, the type that use CrowdStrike choices, would have malicious installations like this blocked via their privileged account administration (PAM) software program,” he mentioned.
This marketing campaign exhibits macOS units aren’t secure from malware assaults. Due to this fact, use search engines like google however click on on their outcomes at your personal threat. Probably the most dependable solution to test if a hyperlink is malicious is to make use of a trusted antivirus browser extension that scans URLs earlier than you open them, or to scan the location with VirusTotal earlier than visiting.
