Malwarebytes has warned users to be wary of fake versions of legitimate software being disseminated on GitHub. Dozens of apps were found impersonating popular brands like password managers, Audacity, Dropbox, and others, to lure victims into downloading and running malware themselves.
Last week, LastPass alerted users about the large-scale attack targeting Mac users via GitHub pages. Its researchers detected two GitHub pages impersonating the LastPass software, with links to “Install LastPass on MacBook.”
Multiple other GitHub pages were found, created by multiple usernames to circumvent takedowns. The fraudulent repositories poisoned search results. Users, looking for the app using specific macOS keywords, were served malicious repositories on top of the search results.
Malwarebytes, a cybersecurity company, details that the campaign is even wider than previously thought and that cybercriminals are impersonating dozens of apps.
“Unfortunately, Malwarebytes for Mac is one of them,” the firm said.
The researchers found fake versions of 1Password, Audacity, Dropbox, Shopify, Thunderbird, DaVinci Resolve, Metatrader 5, Hootsuite, and dozens of other apps on GitHub.
Many of the impersonated apps are available for free, and users don't even need to search for pirated or “unlocked” versions.
Hackers seem to exploit their popularity by purchasing ads on search engines to place their fake offerings on top.
“Sometimes, the starting point is a sponsored Google ad that points to GitHub instead of the official page of the developer,” the Malwarebytes report explains.
“The cybercriminals are known to have used Search Engine Optimization (SEO) techniques to get their listings higher in the search results.”
Here’s how the campaign works
Victims looking for specific software are often likely to press the first suggestion of the search engine.
The cybercrooks, who poisoned SEO results or bought a sponsored search result, lead users to a GitHub page. GitHub is a platform for developers to share and work on their code, but anyone can create an account here and publish their work.
The malicious repositories contain a simple button luring users to “Get Malwarebytes” or any other software. If a victim clicks the button, they’re redirected to a download page with instructions on installing the software, which is actually an information stealer capable of stealing crypto, passwords, documents, and other data.
“The easiest way to infect Macs is to get users to install the malware themselves, and the Atomic Stealer (aka AMOS) is the go-to information stealer for Macs,” the Malwarebytes researchers said.
The malicious instructions direct users to open a terminal, paste a command, and enter the device password when prompted to confirm the installation. The command is obfuscated using base64 encoding. It downloads and executes another script from the attacker-controlled server.
“It bypasses security because of the use of the command line – it can bypass normal file download protections and execute anything the attacker wants,” Malwarebytes warns.
The discovered malicious repositories and files were taken down, but attackers constantly spin up new ones.
“It’s highly likely that there will be more.”
While security solutions for Mac might detect and block the constantly changing variants of Atomic Stealer, Malwarebytes warns users to recognize this chain of infection and avoid downloading the malware.
“Never run copy-pasted commands from random pages or forums, even if they are on seemingly legitimate GitHub pages,” the report reads. “Especially don’t use any that involve curl … | bash or similar combos.”
The security firm also recommends avoiding sponsored search results, verifying links, and always downloading software from official developer pages.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked