This dangerous new Mac malware is being spread by Google Ads

AMOS is making rounds, spread by Google Ads

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers are running maliciousGoogleAds campaigns targeting victims interested in the new Arc browser, with the aim of installing information-stealingmalwareon their Mac devices.

Cybersecurity researchers from Malwarebytesspotteda new campaign on the Google Ads network, seemingly promoting the new (and quite popular) Arcbrowser.

The campaign belongs to ‘Coles & Co’ and is linking to the domain name archost[.]org. However, people who click on the link are redirected to arc-download[.]com, a completely fraudulent site offering Arc for Mac only.

PR move

On the surface, the downloaded DMG file behaves just as a legitimate file would, except for the right-click to open trick which bypasses security protections.

What the victims actually end up with is Poseidon, a variant of Atomic Stealer (AMOS), a known infostealer capable of extracting all kinds of information from the target devices, from sensitive files, to cryptocurrency wallet data, to stored passwords, to browser data.

There seems to be plenty of code overlapping between AMOS and Poseidon, but its creator - a person with the alias Rodrigo4 - said they needed a unique brand to be better recognized in the underground community.

“In simple words, people didn’t know who we were,” the developer said in a recent post.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Since the Google Ads network can show ads at the top of search engine results pages, being able to push malware through increases its chances for success dramatically.

To run a malvertising campaign, threat actors steal people’s Google business accounts, verified for running advertising campaigns and having a linked credit card for payments. Then, they create an ad campaign which promotes fraudulent websites on the top of search engine results pages. Recently, cybersecurity experts started warning users to be careful when searching for things, and to type in known addresses instead of simply googling them.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Belkin’s Travel Bag for Vision Pro has pockets and is way cheaper than Apple’s own case