A sophisticated and alarming Mac malware attack is currently being carried out under the guise of free versions of popular apps such as Loom, LedgerLive, and Black Desert Online.
This well-organized attack uses a combination of legitimate-looking Google ads and phishing emails to lure victims. The malware campaign was discovered by Moonlock, a cybersecurity group within MacPaw, known for their CleanMyMac app. Initially, the threat seemed limited to mimicking Loom, a widely used screen recording tool, but further investigation revealed a broader range of apps being targeted.
Moonlock Lab’s investigation began when they noticed a Google ad promoting what appeared to be the official Loom application. The ad looked legitimate, enticing users to click on a trusted source. However, upon clicking the link, users were redirected to a site nearly identical to the official Loom website, hosted at smokecoffeeshop[.]com. This site prompted users to download a malicious file containing stealer malware. The campaign extends beyond Loom, with fake versions of other popular applications like Figma, TunnelBlick (VPN), Callzy, and a suspiciously named file, BlackDesertPersonalContractforYouTubepartners[.]dmg being used to distribute the malware.
Particularly alarming is the malware’s ability to replace genuine apps with harmful versions, such as the cryptocurrency manager LedgerLive. Once the malicious clone is downloaded, attackers can potentially access and drain victims’ cryptocurrency wallets. This malicious version is designed to closely mimic the legitimate app’s appearance and functionality, making it difficult for users to detect the compromise. Moonlock Lab’s findings confirm that the stealer is capable of grabbing files, hardware information, passwords, data from browsers, and keychain dump credentials.
The campaign appears to be orchestrated by a well-organized group known as Crazy Evil. This group uses deceptive Google-sponsored URLs to trick users into downloading harmful software. Moonlock Lab’s investigation identified an IP address linked to a governmental entity with high malware association and numerous files marked as malware. This IP address hosted macOS-related files from the campaign starting July 23, 2024.
To protect themselves, Mac users should take proactive measures. Always double-check URLs when downloading files, even from trusted sources like Google Ads or top search results. Regularly scanning your device with reliable anti-malware tools like CleanMyMac X with Moonlock Engine can help ensure no malicious software is present. Additionally, keeping software up-to-date is crucial to protect against known vulnerabilities. Users should also be cautious with emails offering contracts or deals from unknown senders to prevent phishing schemes.
Apple’s built-in security features, Gatekeeper and XProtect, provide extra protection against malicious software and are enabled by default.
(via Moonlock Lab)
