Potent Atomic credential stealer can bypass Gatekeeper

Security experts have raised alarms over a new wave of malicious ads infiltrating search engines, which are impersonating various online services to distribute a potent credential theft tool. The latest victims in this scheme appear to be users of the LastPass password manager. Recently, LastPass revealed that it had identified a widespread campaign employing search engine optimization tactics to position deceptive ads for LastPass macOS applications at the top of search results on platforms like Google and Bing. These misleading ads directed users to two fraudulent GitHub sites designed to target LastPass users, both of which have since been taken down. While claiming to offer LastPass installations for MacBooks, these sites instead installed a credential stealer known as Atomic Stealer, or sometimes referred to as Amos Stealer. In a blog post, LastPass emphasized the importance of raising awareness about this campaign to protect its customers. The company also mentioned ongoing efforts to disrupt the malicious activities and shared indicators of compromise (IoCs) to assist other security teams in identifying related cyber threats. LastPass is not alone in facing exploitation of its brand through these deceptive ads. The IoCs provided by the company also highlighted other well-known software and services being impersonated, including 1Password, Basecamp, Dropbox, Gemini, Hootsuite, Notion, Obsidian, Robinhood, Salesloft, SentinelOne, Shopify, Thunderbird, and TweetDeck. Typically, these ads feature eye-catching fonts, and upon being clicked, they lead users to GitHub pages that install versions of Atomic disguised as the legitimate software they were seeking.