{"id":24879,"date":"2024-07-12T09:10:14","date_gmt":"2024-07-12T17:10:14","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2024\/07\/12\/news-18609\/"},"modified":"2024-07-12T09:10:14","modified_gmt":"2024-07-12T17:10:14","slug":"news-18609","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/07\/12\/news-18609\/","title":{"rendered":"Fake Microsoft Teams for Mac delivers Atomic Stealer"},"content":{"rendered":"\n

Competition between stealers for macOS is heating up, with a new malvertising campaign luring Mac users via a fraudulent advert for Microsoft Teams. This attack comes on the heels of the new Poseidon<\/a> (OSX.RodStealer) project, another threat using a similar code base and delivery techniques.<\/p>\n

Based on our tracking, Microsoft Teams is once again a popular keyword threat actors are bidding on, and it is the first time we have seen it used by Atomic Stealer. Communication tools like Zoom, Webex or Slack have been historically coveted by criminals who package them as fake installers laced with malware.<\/p>\n

This latest malvertising campaign was running for at least a few days and used advanced filtering techniques that made it harder to detect. Once we were able to reproduce a full malware delivery chain, we immediately reported the ad to Google.<\/p>\n

Top search result for Microsoft teams<\/h2>\n

We were able to reliably search for and see the same malicious ad for Microsoft Teams which was likely paid for by a compromised Google ad account. For a couple of days, we could not see any malicious behavior as the ad redirected straight to Microsoft’s website. After numerous attempts and tweaks, we finally saw a full attack chain.<\/p>\n

\"\"<\/figure>\n

Despite showing the microsoft.com<\/em> URL in the ad’s display URL, it has nothing to do with Microsoft at all. The advertiser is located in Hong Kong and runs close to a thousand unrelated ads.<\/p>\n

\"\"<\/figure>\n

Malicious redirect and payload<\/h2>\n

We confirmed the ad was indeed malicious by recording a network capture (see below). Each click is first profiled (smart[.]link<\/em>) to ensure only real people (not bots, VPNs) proceed, followed by a cloaking domain (voipfaqs[.]com<\/em>) separating the initial redirect from the malicious landing (decoy) page (teamsbusiness[.]org<\/em>).<\/p>\n

\"\"<\/figure>\n

Victims land on a decoy page showing a button to download Teams. A request is made to a different domain (locallyhyped[.]com) where a unique payload (file name and size) is generated for each visitor.<\/p>\n

\"\"<\/figure>\n

Once the downloaded file MicrosoftTeams_v.(xx).dmg<\/em> is mounted, users are instructed to open it via a right click in order to bypass Apple’s built-in protection mechanism for unsigned installers.<\/p>\n

In the video below, we show the steps required to install this malicious application, noting that you are instructed to enter your password and grant access to the file system. This may not come as unusual for someone wanting to install a new program, but it is exactly what Atomic Stealer needs to grab keychain passwords and important files.<\/p>\n

\"\"<\/figure>\n

Mitigations<\/h2>\n

As cyber criminals ramp up their distribution campaigns, it becomes more dangerous to download applications via search engines. Users have to navigate between malvertising (sponsored results) and SEO poisoning (compromised websites).<\/p>\n

To mitigate such risks, we recommend using browser protection tools<\/a> that can block ads and malicious websites. Often times, threat actors will rely on redirects from ads or compromised networks that can be stopped before even downloading a malicious installer.<\/p>\n

\"\"<\/figure>\n

Malwarebytes for Mac<\/a> detects this threat as OSX.AtomStealer:<\/p>\n

\"\"<\/figure>\n

Indicators of Compromise<\/h2>\n

Cloaking domain<\/p>\n

voipfaqs[.]com<\/pre>\n
Decoy site<\/p>\n
teamsbusiness[.]org<\/pre>\n
Download URL<\/p>\n
locallyhyped[.]com\/kurkum\/script_66902619887998[.]92077775[.]php<\/pre>\n
Atomic Stealer payload<\/p>\n
7120703c25575607c396391964814c0bd10811db47957750e11b97b9f3c36b5d<\/pre>\n
Atomic Stealer C2<\/p>\n
147.45.43[.]136
<\/pre>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
 In a new malware campaign, threat actors are using Google ads to target Mac users looking to download Microsoft Teams. <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[2211,30077,10454,10531,29909,12040],"class_list":["post-24879","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-apple","tag-atomic-stealer","tag-mac","tag-malvertising","tag-microsoft-teams","tag-threat-intelligence"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24879","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=24879"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24879\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=24879"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=24879"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=24879"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}