Cybercriminals are using Google ads to spread malware by directing Mac and Linux users to a fake Homebrew website with an infostealer.
This malware campaign is designed to steal sensitive information, including credentials, browser data, and cryptocurrency wallets.
The information stealer in question, AmosStealer (or Atomic), was discovered by security expert Ryan Chenkie, who raised the alarm on X about this campaign and its potential risks.
Specifically tailored for macOS systems, this information stealer is sold to cyber criminals on a subscription basis for $1,000 per month.
For those unaware, Homebrew is a free and open-source software package management system that simplifies the installation of software on Apple’s operating systems, macOS and Linux.
However, it has recently become a focal point for malvertising campaigns promoting fake Google Meet pages.
It then redirected users to a fake site hosted at “brewe.sh” which mimicked the real one. It instructed visitors to install Homebrew by running a command in their Terminal or a Linux shell prompt from the fake website, which, upon execution, installed malware instead of the legitimate software on the device.
Security researcher JAMESWT identified the malware dropped in this case as Amos, a potent information stealer capable of targeting over 50 cryptocurrency extensions, desktop wallets, and web browser data.
Homebrew’s project leader, Mike McQuaid, acknowledged the issue and expressed frustration over Google’s inability to prevent these scams.
Although the malicious ad has been removed, the threat remains, as hackers can use other redirection domains to continue their campaigns.
To protect themselves from potential risks, users should bookmark the official websites of trusted projects like Homebrew and access them directly.
