COOKIE SPIDER’s Malvertising Drops New SHAMOS macOS Malware

CrowdStrike reports COOKIE SPIDER using malvertising to spread SHAMOS macOS malware (a new variant of AMOS infostealer), stealing credentials, crypto wallets, and targeting 300+ environments.

Between June and August this year, macOS users looking for solutions to routine technical issues were targeted by a campaign run by the cybercrime group COOKIE SPIDER. The attackers purchased ads that appeared as legitimate help sites, but instead of offering real fixes, these sites instructed visitors to run a one-line command in Terminal. That command delivered SHAMOS, a new variant of the AMOS infostealer, onto their systems.

For your information, one-line installation command is a technique that cybercriminals increasingly prefer because it bypasses macOS Gatekeeper security checks, allowing the malware to install without triggering warnings. Previous malware attacks on macOS devices, especially the one carried out through Cuckoo Stealer and earlier AMOS variants, used the same approach.

According to cybersecurity researchers at CrowdStrike, who identified the COOKIE SPIDER’s malvertising campaign, it was a large-scale one which targeted more than 300 customer environments with victims in the US, UK, Japan, Canada, Italy, Mexico, China, and Colombia.

The success of the campaign depended heavily on keeping it simple. For example, a user searching for a common macOS fix, such as “macOS flush resolver cache”, was led to a promoted site, mac-safercom, that looked legitimate. The pages provided instructions that appeared helpful, but were designed to convince visitors to copy and run a malicious command.

Among the instructions was a command for users to paste into Terminal, which downloaded a Bash script. The script captured the user’s password and then retrieved the SHAMOS payload from a remote server.

CrowdStrike’s blog post notes that once SHAMOS is running on an infected device, it checks systems for sensitive information like Keychain data to Apple Notes, browser credentials, and even cryptocurrency wallets.

The malware then saves everything in a ZIP archive for exfiltration. It can also download extra payloads, including a fake Ledger Live wallet app and a botnet module, making it an even bigger cybersecurity threat than it already is.

The method of distributing SHAMOS was as important as the malware itself. Using malvertising gave them a steady flow of unsuspecting victims. In some cases, the ads appeared to be linked to legitimate businesses, such as an Australia-based electronics store, suggesting that the criminals were spoofing business identities to gain credibility.

This tactic allowed fake help domains like mac-safercom and rescue-maccom to appear trustworthy enough for users to follow their instructions. CrowdStrike also observed evidence of the malware placing a malicious property list (plist) file in the user’s LaunchDaemons directory. It also used repeated curl commands that suggested botnet activity.

Other than malvertising, researchers noted that the malware also exploited GitHub for exposure, including fake repositories posing as legitimate software projects to trick users into executing malicious commands. One example involved a fake iTerm2 repository with nearly identical instructions for downloading SHAMOS.

“This campaign is clever. Threat actors are targeting less-technical users, profiled through searches for help with basic issues, and provide them step-by-step guidance on how to install their malware,” noted Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, a San Francisco, Calif.-based crowdsourced cybersecurity platform.

“This kind of attack is probably effective against the SMB and home user segment. I would expect that enterprises, the kind that use CrowdStrike offerings, would have malicious installations like this blocked through their privileged account management (PAM) software,” he said.

This campaign shows macOS devices are not safe from malware attacks. Therefore, use search engines but click on their results at your own risk. The most reliable way to check if a link is malicious is to use a trusted antivirus browser extension that scans URLs before you open them, or to scan the site with VirusTotal before visiting.