Criminals Use Fake Mac Homebrew Google Ads in New Malicious Campaign

In a new malicious campaign targeting Apple product users, criminals are spreading malware by using fake Mac Homebrew ads on Google.

Spreading malware through fake Homebrew ads

Developer Ryan Chenkie spotted a malicious Google ads campaign targeting Mac users with infostealer malware.

In a brief security advisory posted on X, Chenkie warns fellow developers to exercise caution when handling Homebrew apps, noting that Google displays several sponsored links to a rogue Homebrew site clone.

The phony website reportedly harbors a cURL command to malware and has a nearly identical URL to its legitimate counterpart, with only one letter setting them apart.

macOS users targeted with AmosStealer infostealer

For this malvertising campaign, perpetrators employed AmosStealer (also known as Atomic), a strain of malware typically designed to work on macOS systems and currently available on a subscription basis.

Threat actors must cough up $1,000 for each month of access to the info-stealing malware. AmosStealer is infamous for its ability to steal credentials, crypto wallets and browser data from compromised devices.

Attackers use a website redirection trick

Many advanced macOS users are familiar with popular open-source package manager Homebrew, which enables software installation, management, and updating from the system’s Terminal.

Although threat actors manipulated the malicious Google advertisement to display Homebrew’s correct URL, “brew.sh,” the ad redirected visitors to the website’s fake counterpart’s URL, “brewe[.]sh.”

URL redirection is a common technique for deceiving visitors into interacting with apparently legitimate links, only to have them sent to malicious addresses, often ones that mimic legitimate businesses, organizations, services or products.

Tricked into installing malware-spiked Homebrew

Once the users land on the malicious page, they are given instructions to install Homebrew on their devices. Like its legitimate equivalent, the website even provides a command that users are encouraged to paste into their macOS or Linux terminals.

As expected, pasting and executing the fake website’s Terminal command downloads and installs malware on the user’s device.

Although the malicious ads were taken down in the meantime, threat actors could create a different ad campaign leveraging other redirection domains.

Protecting against infostealers and other cyber threats

Mac users must remain vigilant to detect and deter malicious ad campaigns pushing infostealers and other similar threats. However, sometimes being cautious isn’t nearly enough to stay protected.

Dedicated software like Bitdefender Ultimate Security encompasses a broad range of features to safeguard your device against intrusions, including:

• Comprehensive, continuous protection against viruses, Trojans, worms, ransomware, spyware, zero-day exploits, infostealers, rootkits, and other threats
• Network threat prevention that analyzes, identifies and blocks suspicious network-level activities
• Behavioral detection that monitors active apps and takes instant action upon detecting suspicious activity
• Anti-fraud and anti-phishing technologies that prevent you from landing on harmful websites that could try to scam or deceive you