Campagne massive visant macOS via GitHub Pages pour diffuser le voleur Atomic (AMOS)

Selon LastPass (blog), l’équipe TIME suit une campagne d’infostealer en cours, large et active, qui cible des utilisateurs Mac via des dépôts GitHub frauduleux usurpant des entreprises afin de livrer le malware Atomic Stealer (AMOS). Les attaquants utilisent le SEO pour placer leurs liens en tête des résultats de recherche, et LastPass partage des IoCs et mène des actions de retrait auprès de GitHub.

🚨 Détails clés: deux pages GitHub usurpant LastPass ont été créées le 16 septembre par l’utilisateur “modhopmduck476”. Ces pages, titrées avec le nom de l’entreprise et des termes liés à macOS, redirigent vers hxxps://ahoastock825[.]github[.]io/.github/lastpass, puis vers macprograms-pro[.]com/mac-git-2-download.html, qui demande de coller une commande dans le Terminal. Cette commande effectue un curl vers une URL encodée Base64 qui décode en bonoud[.]com/get3/install.sh, télécharge un premier payload, puis un binaire “Update” dans le répertoire Temp, qui est en réalité Atomic Stealer. Les auteurs multiplient les comptes GitHub pour contourner les retraits.

📌 Contexte: LastPass indique surveiller activement la campagne, avoir soumis les sites frauduleux à retrait (désormais inactifs) et partager des IoCs pour aider à la détection. Le billet pointe également un article de Dhiraj Mishra décrivant une campagne similaire.

🧪 IoCs fournis:

URLs/domains:
- github[.]com/lastpass-on-macbook
- github[.]com/LastPass-on-MacBook/lastpass-premium-mac-download
- ahoastock825[.]github[.]io/.github/lastpass
- macprograms-pro[.]com/mac-git-2-download.html
- bonoud[.]com/get3/install.sh
- bonoud[.]com/get3/update
- github[.]com/Zengo-Wallet-Desktop-App-on-Macbook
- github[.]com/1password-on-Macbook-Desktop
- github[.]com/1Password-Premium-on-MacBook
- github[.]com/ActiveCampaign-Desktop-on-Mac
- github[.]com/ActiveCampaign-MacBook-Desktop-App
- github[.]com/After-Effects-Desktop-on-Mac
- github[.]com/Audacity-on-Macbook
- github[.]com/Auphonic-Desktop-on-Mac
- github[.]com/Basecamp-App-macOS-Installation
- github[.]com/BetterSnapTool-on-MacBook
- github[.]com/Biteable-Desktop-on-Mac
- github[.]com/Bitpanda-on-MacBook
- github[.]com/Bitsgap-Download-Mac
- github[.]com/Blog2Social-Desktop-on-Mac
- github[.]com/Blue-Wallet-Desktop-on-Mac
- github[.]com/Bonkbot-On-Macbook
- github[.]com/Carbon-Copy-Cloner-on-MacBook
- github[.]com/Carbon-Copy-Cloner-on-MacBook
- github[.]com/Charles-Schwab-Desktop-on-MacBook
- github[.]com/Citibank-on-MacBook-Desktop-App
- github[.]com/CMC-Markets-on-MacBook
- github[.]com/Confluence-on-MacBook
- github[.]com/Coolors-Desktop-on-Mac
- github[.]com/DaVinci-Resolve-on-MacBook
- github[.]com/DefiLlama-on-Mac-Desktop-App
- github[.]com/Desktop-Clockology-Mac-Os
- github[.]com/Desygner-Desktop-on-Mac
- github[.]com/Docker-MacBook-Desktop-App
- github[.]com/Dropbox-on-Macbook
- github[.]com/EigenLayer-Desktop-App-on-MacBook
- github[.]com/EigenLayer-Desktop-App-on-MacBook
- github[.]com/EigenLayer-Desktop-App-on-MacBook
- github[.]com/E-TRADE-on-MacBook
- github[.]com/Fidelity-on-MacBook
- github[.]com/Fliki-Desktop-on-Mac
- github[.]com/Freqtrade-Bot-on-Macbook
- github[.]com/Freshworks-App-on-MacBook
- github[.]com/Gemini-on-MacBook
- github[.]com/GMGN-AI-Desktop-App-On-MacBook
- github[.]com/Gunbot-Desktop-on-Macbook
- github[.]com/Hemingway-Editor-Desktop-on-Mac
- github[.]com/HeyGen-Desktop-on-Mac
- github[.]com/Hootsuite-MacBook-Desktop-App
- github[.]com/HTX-App-on-MacBook-Download
- github[.]com/Hypertracker-Desktop-on-Mac
- github[.]com/IRS-Desktop-App-on-Macbook
- github[.]com/KeyBank-on-Mac-Desktop
- github[.]com/Lightstream-Desktop-on-Mac
- github[.]com/Loopback-on-MacBook
- github[.]com/Maestro-Bot-Desktop-on-Macbook
- github[.]com/Melon-Desktop-on-Mac
- github[.]com/Metatrader-5-Download-on-Mac
- github[.]com/Metricool-Desktop-on-Mac
- github[.]com/Mixpanel-on-MacBook
- github[.]com/Mp3tag-Desktop-on-Mac
- github[.]com/Mural-App-on-MacBook
- github[.]com/NFT-Creator-on-Macbook
- github[.]com/NotchNook-Download-on-Mac
- github[.]com/Notion-Download-on-Mac
- github[.]com/Obsidian-on-Macbook
- github[.]com/Onlypult-Desktop-on-Mac
- github[.]com/Pendle-Finance-Desktop-on-Mac
- github[.]com/Pepperstone-on-MacBook
- github[.]com/Pipedrive-on-Mac-Desktop-App
- github[.]com/Plus500-on-MacBook
- github[.]com/Privnote-on-MacBook
- github[.]com/ProWritingAid-Desktop-on-Mac
- github[.]com/Publer-Desktop-on-Mac
- github[.]com/Raycast-App-on-Mac
- github[.]com/Raycast-Download-on-Mac
- github[.]com/Reaper-Desktop-on-Mac
- github[.]com/RecurPost-Desktop-on-Mac
- github[.]com/Renderforest-Desktop-on-Mac
- github[.]com/Rippling-App-on-MacBook
- github[.]com/Riverside-fm-Desktop-on-Mac
- github[.]com/Robinhood-Desktop-on-MacBook
- github[.]com/Rug-AI-on-Macbook
- github[.]com/Sage-Intacct-on-Mac-Desktop-App
- github[.]com/Salesloft-on-MacBook
- github[.]com/SentinelOne-on-MacBook
- github[.]com/Shippo-on-MacBook
- github[.]com/Shopify-on-MacBook
- github[.]com/SocialPilot-Desktop-on-Mac
- github[.]com/Soundtrap-Desktop-on-Mac
- github[.]com/StreamYard-Desktop-on-Mac
- github[.]com/SurferSEO-Desktop-on-Mac
- github[.]com/Thunderbird-on-MacBook
- github[.]com/TweetDeck-Desktop-on-Mac
- github[.]com/Uphold-App-on-MacBook
- github[.]com/Uphold-App-on-MacBook
- github[.]com/Veeva-CRM-on-MacBook
- github[.]com/Viraltag-Desktop-on-Mac
- github[.]com/VSCO-Desktop-on-Mac
- github[.]com/Vyond-Desktop-on-Mac
- github[.]com/Webull-on-Macbook
- github[.]com/Xai-Games-App-on-MacBook
- github[.]com/XSplit-Desktop-on-Mac
- github[.]com/Zealy-Desktop-on-MacBook
- github[.]com/Zencastr-Desktop-on-Mac
- github[.]com/Zenefits-on-MacBook
- github[.]com/Zotero-7-on-MacBook
SHA256:
- e52dd70113d1c6eb9a09eafa0a7e7bcf1da816849f47ebcdc66ec9671eb9b350 (Atomic Stealer)
Acteurs/identifiants observés:
- Compte GitHub: “modhopmduck476”

🛠️ TTPs observées:

Usurpation d’entreprises via GitHub Pages et dépôts GitHub multiples pour contourner les retraits.
Empoisonnement SEO pour faire remonter les liens malveillants sur Bing/Google.
Chaîne de redirections: GitHub Pages -> macprograms-pro[.]com -> commande Terminal.
Commande shell à copier-coller, exécutant un curl vers une URL encodée Base64.
Téléchargement de script depuis bonoud[.]com/get3/install.sh, puis d’un payload “Update” vers le répertoire Temp.
Livraison d’Atomic Stealer (AMOS), infostealer actif depuis au moins avril 2023.

Il s’agit d’une analyse de menace/alerte publiée par LastPass visant à sensibiliser sur la campagne en cours et à partager des IoCs pour faciliter la détection et les efforts de disruption.

🧠 TTPs et IOCs détectés

TTP

[‘Usurpation d’entreprises via GitHub Pages et dépôts GitHub multiples pour contourner les retraits’, ‘Empoisonnement SEO pour faire remonter les liens malveillants sur Bing/Google’, ‘Chaîne de redirections: GitHub Pages -> macprograms-pro[.]com -> commande Terminal’, ‘Commande shell à copier-coller, exécutant un curl vers une URL encodée Base64’, “Téléchargement de script depuis bonoud[.]com/get3/install.sh, puis d’un payload ‘Update’ vers le répertoire Temp”, ‘Livraison d’Atomic Stealer (AMOS), infostealer actif depuis au moins avril 2023’]

IOC

{‘urls_domains’: [‘github[.]com/lastpass-on-macbook’, ‘github[.]com/LastPass-on-MacBook/lastpass-premium-mac-download’, ‘ahoastock825[.]github[.]io/.github/lastpass’, ‘macprograms-pro[.]com/mac-git-2-download.html’, ‘bonoud[.]com/get3/install.sh’, ‘bonoud[.]com/get3/update’, ‘github[.]com/Zengo-Wallet-Desktop-App-on-Macbook’, ‘github[.]com/1password-on-Macbook-Desktop’, ‘github[.]com/1Password-Premium-on-MacBook’, ‘github[.]com/ActiveCampaign-Desktop-on-Mac’, ‘github[.]com/ActiveCampaign-MacBook-Desktop-App’, ‘github[.]com/After-Effects-Desktop-on-Mac’, ‘github[.]com/Audacity-on-Macbook’, ‘github[.]com/Auphonic-Desktop-on-Mac’, ‘github[.]com/Basecamp-App-macOS-Installation’, ‘github[.]com/BetterSnapTool-on-MacBook’, ‘github[.]com/Biteable-Desktop-on-Mac’, ‘github[.]com/Bitpanda-on-MacBook’, ‘github[.]com/Bitsgap-Download-Mac’, ‘github[.]com/Blog2Social-Desktop-on-Mac’, ‘github[.]com/Blue-Wallet-Desktop-on-Mac’, ‘github[.]com/Bonkbot-On-Macbook’, ‘github[.]com/Carbon-Copy-Cloner-on-MacBook’, ‘github[.]com/Charles-Schwab-Desktop-on-MacBook’, ‘github[.]com/Citibank-on-MacBook-Desktop-App’, ‘github[.]com/CMC-Markets-on-MacBook’, ‘github[.]com/Confluence-on-MacBook’, ‘github[.]com/Coolors-Desktop-on-Mac’, ‘github[.]com/DaVinci-Resolve-on-MacBook’, ‘github[.]com/DefiLlama-on-Mac-Desktop-App’, ‘github[.]com/Desktop-Clockology-Mac-Os’, ‘github[.]com/Desygner-Desktop-on-Mac’, ‘github[.]com/Docker-MacBook-Desktop-App’, ‘github[.]com/Dropbox-on-Macbook’, ‘github[.]com/EigenLayer-Desktop-App-on-MacBook’, ‘github[.]com/E-TRADE-on-MacBook’, ‘github[.]com/Fidelity-on-MacBook’, ‘github[.]com/Fliki-Desktop-on-Mac’, ‘github[.]com/Freqtrade-Bot-on-Macbook’, ‘github[.]com/Freshworks-App-on-MacBook’, ‘github[.]com/Gemini-on-MacBook’, ‘github[.]com/GMGN-AI-Desktop-App-On-MacBook’, ‘github[.]com/Gunbot-Desktop-on-Macbook’, ‘github[.]com/Hemingway-Editor-Desktop-on-Mac’, ‘github[.]com/HeyGen-Desktop-on-Mac’, ‘github[.]com/Hootsuite-MacBook-Desktop-App’, ‘github[.]com/HTX-App-on-MacBook-Download’, ‘github[.]com/Hypertracker-Desktop-on-Mac’, ‘github[.]com/IRS-Desktop-App-on-Macbook’, ‘github[.]com/KeyBank-on-Mac-Desktop’, ‘github[.]com/Lightstream-Desktop-on-Mac’, ‘github[.]com/Loopback-on-MacBook’, ‘github[.]com/Maestro-Bot-Desktop-on-Macbook’, ‘github[.]com/Melon-Desktop-on-Mac’, ‘github[.]com/Metatrader-5-Download-on-Mac’, ‘github[.]com/Metricool-Desktop-on-Mac’, ‘github[.]com/Mixpanel-on-MacBook’, ‘github[.]com/Mp3tag-Desktop-on-Mac’, ‘github[.]com/Mural-App-on-MacBook’, ‘github[.]com/NFT-Creator-on-Macbook’, ‘github[.]com/NotchNook-Download-on-Mac’, ‘github[.]com/Notion-Download-on-Mac’, ‘github[.]com/Obsidian-on-Macbook’, ‘github[.]com/Onlypult-Desktop-on-Mac’, ‘github[.]com/Pendle-Finance-Desktop-on-Mac’, ‘github[.]com/Pepperstone-on-MacBook’, ‘github[.]com/Pipedrive-on-Mac-Desktop-App’, ‘github[.]com/Plus500-on-MacBook’, ‘github[.]com/Privnote-on-MacBook’, ‘github[.]com/ProWritingAid-Desktop-on-Mac’, ‘github[.]com/Publer-Desktop-on-Mac’, ‘github[.]com/Raycast-App-on-Mac’, ‘github[.]com/Raycast-Download-on-Mac’, ‘github[.]com/Reaper-Desktop-on-Mac’, ‘github[.]com/RecurPost-Desktop-on-Mac’, ‘github[.]com/Renderforest-Desktop-on-Mac’, ‘github[.]com/Rippling-App-on-MacBook’, ‘github[.]com/Riverside-fm-Desktop-on-Mac’, ‘github[.]com/Robinhood-Desktop-on-MacBook’, ‘github[.]com/Rug-AI-on-Macbook’, ‘github[.]com/Sage-Intacct-on-Mac-Desktop-App’, ‘github[.]com/Salesloft-on-MacBook’, ‘github[.]com/SentinelOne-on-MacBook’, ‘github[.]com/Shippo-on-MacBook’, ‘github[.]com/Shopify-on-MacBook’, ‘github[.]com/SocialPilot-Desktop-on-Mac’, ‘github[.]com/Soundtrap-Desktop-on-Mac’, ‘github[.]com/StreamYard-Desktop-on-Mac’, ‘github[.]com/SurferSEO-Desktop-on-Mac’, ‘github[.]com/Thunderbird-on-MacBook’, ‘github[.]com/TweetDeck-Desktop-on-Mac’, ‘github[.]com/Uphold-App-on-MacBook’, ‘github[.]com/Veeva-CRM-on-MacBook’, ‘github[.]com/Viraltag-Desktop-on-Mac’, ‘github[.]com/VSCO-Desktop-on-Mac’, ‘github[.]com/Vyond-Desktop-on-Mac’, ‘github[.]com/Webull-on-Macbook’, ‘github[.]com/Xai-Games-App-on-MacBook’, ‘github[.]com/XSplit-Desktop-on-Mac’, ‘github[.]com/Zealy-Desktop-on-MacBook’, ‘github[.]com/Zencastr-Desktop-on-Mac’, ‘github[.]com/Zenefits-on-MacBook’, ‘github[.]com/Zotero-7-on-MacBook’], ‘hashes’: [’e52dd70113d1c6eb9a09eafa0a7e7bcf1da816849f47ebcdc66ec9671eb9b350’], ‘actors’: [‘modhopmduck476’]}

🔗 Source originale : https://blog.lastpass.com/posts/attack-targeting-macs-via-github-pages

🧠 TTPs et IOCs détectés#

TTP#

IOC#

🧠 TTPs et IOCs détectés

TTP

IOC