Hackers are impersonating the financial market tracking platform TradingView to spread malware in a malvertising campaign targeting Mac users.
In a report on Wednesday, Malwarebytes revealed that threat actors are using Google Ads to lure unsuspecting Mac users to a phishing site that spoofs TradingView’s site. The site, which looks exactly like the website of TradingView, is designed to spread malware.
The site has download buttons for Windows, Linux, and macOS users. While clicking on the Windows and Linux links will download the NetSupport Remote Access Trojan (RAT) on victims’ devices, the macOS download button delivers the notorious Atomic Stealer (AMOS). This malware first surfaced on dark web forums earlier this year and was mainly spread through pirated software.
AMOS is “a stealer for Mac OS with a strong focus on crypto assets, capable of harvesting passwords from browsers and Apple’s keychain, as well as featuring a file grabber,” Malwarebytes’ report said.
Convincing Phishing Campaign
The ad on Google for the fake TradingView site uses special font characters embedded with Unicode characters. Malwarebytes said. This may be an “attempt to appear like the real domain and evade detection from Google’s ad quality checks.”
The fake TradingView site looks “quite authentic,” and it may be difficult for victims to tell them apart.
“The downloaded file (TradingView.dmg) comes with instructions on how to open it in order to bypass Gatekeeper,” the report said. “Unlike regular apps, it does not need to be copied into the Mac’s Apps folder but is simply mounted and executed.”
The downloaded file continuously asks for the target’s password until they provide it.
“The malware is bundled in an ad-hoc signed app meaning it’s not an Apple certificate, so it cannot be revoked,” the report revealed.
According to Malwarebytes, the ultimate goal of the threat actor is to steal data from victims’ devices.
How to Protect Your Mac From Malware
While macOS is generally safer than other operating systems, it is not immune to threats.
This is not the first time researchers have found threat actors using Google Ads to direct targets to phishing sites that contain malicious software. In January, Cyble Research & Intelligence Labs observed threat actors using this technique to spread the Rhadamanthys Stealer hidden in legitimate software.
To protect your Mac from such threats, Malwarebytes recommends double-checking the origin of any software before running it on your device. You should “at least spend some time verifying that the current website really is the right one, and not a fake,” Malwarebytes advised.
While phishing sites can look eerily similar to the sites they’re spoofing, there are always tell-tale signs that show they’re fake. In this case, the use of special characters and the misspelled name of the site — “trabingviews.com” — gave it away.
We also recommend using antivirus software to block malware and other threats. According to the report, the Malwarebytes antivirus software detected the malware as “OSX.AtomStealer.” We’ve tested this antivirus extensively. You can discover how it performed in our Malwarebytes review.
Check out our top-rated antivirus software for other options.
For more cybersecurity news, follow us on X (Twitter), Threads, and Mastodon!
