A recent wave of cyber threats has emerged, specifically targeting MacOS users globally. This campaign employs a new version of the AMOS infostealer, known as ‘malext’, delivered through deceptive online advertisements.
How the Malvertising Campaign Operates
The attackers strategically purchase Google Search ads to lure unsuspecting users to fraudulent help articles hosted on text-sharing platforms. These articles present seemingly legitimate terminal commands, which covertly install the infostealer on users’ devices.
The threat was uncovered when a MacOS user searching for storage optimization advice encountered a misleading Medium blog post. The post urged users to execute a terminal command, which initiated a request for the administrative password, raising suspicions and preventing a complete system breach.
Uncovering the Scale of the Attack
Further investigation by cybersecurity enthusiasts, including Gi7w0rm, revealed the campaign’s extensive reach. Utilizing Google’s Ads Transparency tool, they identified over 34 attack chains and more than 53 compromised Google Ads accounts actively promoting malicious content.
This operation’s sophistication suggests it may be orchestrated by a larger organized crime network, potentially a ‘Traffer’ group. The attackers also leveraged platforms like Evernote and mssg.me, which do not require stringent identity verification, to host their fake content.
Technical Details of the Malext Infostealer
The ‘malext’ variant of AMOS, named after its command-and-control domain, malext[.]com, is designed to extract sensitive information from infected systems. It targets browser credentials, Safari cookies, cryptocurrency wallets, Telegram sessions, and the macOS keychain.
The malware employs a multi-layered obfuscation technique, utilizing both Base64 encoding and gzip compression, to evade detection. It conducts virtual machine checks and avoids execution in sandbox environments, ensuring stealthy operation.
Protective Measures and Recommendations
MacOS users are advised to exercise caution when encountering terminal commands online, particularly from Google ad-labeled sources. It is crucial to maintain active security features like Gatekeeper and System Integrity Protection.
If a system is suspected to be compromised, users should promptly remove specific files and entries, change browser-saved passwords, and reinstall cryptocurrency wallet applications from official sources to mitigate potential damage.
Stay informed about the latest cybersecurity threats by following trusted news sources and cybersecurity experts on platforms like Google News and LinkedIn.
