Bad actors use malware disguised as trustworthy software, such as 1Password, Bartender 5, and Pixelmator Pro, to infect Windows and macOS computers. The malware is distributed via exploits hosted on GitHub and FileZilla to effectively infect target computers.
The malware allowed a group from the Commonwealth of Independent States (CIS) to gain elevated privileges on infected computers. This allows them to turn off security features and infect computers with more malware. While some of this malware will focus on collecting personal information, many of these malware can also target crypto wallets and banking software.
The threat actors also appear to be hosting files outside of GitHub and FileZilla, with fake application websites also sending redirects to payloads hosted on Dropbox and Bitbucket. Cybersecurity firm Insikt Group said the malware appears to be related to a campaign that has been running since at least August 2023 and is designed to spread malware including Lumma, RedLine, Vidar, Rhadamanthys, DarkComet RAT and DanaBot.
This development is part of ongoing news about this type of malware, including Activator, which remains a "very active threat," according to The Hacker News. The program can disable the Notification Center on macOS while also launching a Python script with multiple stages designed to be malicious and persistent.
So far, this type of malware has been mainly spread through SEO poisoning campaigns and malvertising (malware ads). As this malware spreads across the internet, you are strongly advised to avoid clicking on ads and sponsored results in web searches as well as websites with third-party ads, as ad poisoning campaigns have become a popular method of spreading across the web. In the past, it was the same.
