Malware

AMOS, Odyssey stealers deployed via bogus tools

BleepingComputer reports that fraudulent software download sites for the Homebrew, LogMeIn, and TradingView platforms have been leveraged to compromise macOS developers with the Atomic macOS Stealer, or AMOS, and Odyssey information-stealing payloads as part of a new ClickFix attack campaign.

Threat actors have tapped Google Ads to promote over 85 domains spoofing the widely used platforms in Google Search results, with each of the sites including seemingly legitimate download portals that order users to copy a curl command in their Terminal for installation, a report from Hunt.io researchers showed. Adhering to the instructions prompts the retrieval and decoding of an 'install.sh' file that downloads either AMOS or Odyssey after verifying that the targeted machine is neither a virtual machine nor an analysis system.

After conducting extensive hardware and memory data reconnaissance and ending OneDrive updater daemons, both AMOS and Odyssey proceed with pilfering browser-stored data and cryptocurrency credentials, according to researchers, who urged against pasting Terminal commands found online to prevent compromise.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Adware

You can skip this ad in 5 seconds