LastPass warns of a continuous and widespread information steeler campaign targeting Apple MacOS users via fake GitHub repositories that distribute malware-covered programs pose as legitimate tools.
“In the case of LastPass, the fraudulent repository redirected potential victims to a repository that downloads Atomic Infostealer malware,” researchers Alex Cox, Mike Kosak and Stephanie Schneider said from LastPass’ Threat Intelligence, Mitigation and Escalization (Time) team.
Beyond the last pass, popular tools that impersonate campaigns include 1Password, Basecamp, Dropbox, Gemini, Hootsuite, Concepts, Obsidian, Robinhood, Salesloft, Sentinelone, Shopifififififififififififififififififififififide, Thunderbird, Tweetdeck, and more. All GIHUB repositories are designed to target MacOS systems.
The attack includes the use of search engine optimization (SEO) addiction, pushing a link to the malicious Github site above in Bing and Google search results, clicking the “Install LastPass on MacBook” button to download the program, and redirecting the GitHub page domain.
“Github pages are created with multiple Github usernames and appear to avoid Takedowns,” says LastPass.
The GitHub page is designed to take users to another domain that provides Clickfix-style instructions to copy and execute commands into a terminal app, and deploys Atomic Stealer malware.
Note that similar campaigns previously utilized previously malicious sponsored Google ads to distribute multi-stage droppers via fake GitHub repositories that can detect virtual machines or analytics environments.
In recent weeks, threat actors have been discovered to be leveraging public Github repositories to host malicious payloads and distribute them via Amadey, and have used a hanging committee that corresponds to the official Github repositories to redirect immature users to malicious programs.
