Researchers at Malwarebytes warn that a malvertising campaign is targeting Mac users with phony Microsoft Teams ads.
The ads are meant to trick users into installing Atomic Stealer, a commodity strain of malware designed to steal information from macOS systems.
“Based on our tracking, Microsoft Teams is once again a popular keyword threat actors are bidding on, and it is the first time we have seen it used by Atomic Stealer,” the researchers write. “Communication tools like Zoom, Webex, or Slack have been historically coveted by criminals who package them as fake installers laced with malware. This latest malvertising campaign was running for at least a few days and used advanced filtering techniques that made it harder to detect. Once we were able to reproduce a full malware delivery chain, we immediately reported the ad to Google.”
The ads are purchased on Google and appear to lead to Microsoft’s website. After clicking the link, however, the user is redirected to a malicious website called “teamsbusiness[.]com.”
“Once the downloaded file MicrosoftTeams_v.(xx).dmg is mounted, users are instructed to open it via a right click in order to bypass Apple’s built-in protection mechanism for unsigned installers,” Malwarebytes explains.
“We were able to reliably search for and see the same malicious ad for Microsoft Teams which was likely paid for by a compromised Google ad account. For a couple of days, we could not see any malicious behavior as the ad redirected straight to Microsoft’s website. After numerous attempts and tweaks, we finally saw a full attack chain. Despite showing the microsoft.com URL in the ad’s display URL, it has nothing to do with Microsoft at all. The advertiser is located in Hong Kong and runs close to a thousand unrelated ads.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Malwarebytes has the story.
