Google Ads being used to disperse Mac malware marketed as” Loom” apps

Crazy Evil malware
Experts discovered a macOS stealing malware disguised as popular screen recording application Loom, which was spread via misleading Google sponsored URLs. Moonlock Lab discovered a sophisticated macOS malware disguised as Loom orchestrated by the notorious Crazy Evil Group. It uses misleading Google-sponsored URLs in order to trick users into installing harmful software. Moonlock Lab began the investigation when it identified a Google advertisement promoting the official Loom application. The ad appeared to be legitimate and encouraged users to click through a trusted source. However, clicking the link redirected users to a site nearly identical to the official Loom website, hosted at smokecoffeeshop[.]com. Users were asked to download a malicious file that contained stealer malware, which they thought was Loom. The campaign did not stop at Loom. The attackers had also created fake versions of other popular applications, including Figma, TunnelBlick (VPN), Callzy, and a suspiciously named file, BlackDesertPersonalContractforYouTubepartners[.]dmg. A misleading Google sponsored linkThis last example suggests that a phishing attack is being conducted against YouTube content creators. This tactic was previously used to target Windows users, but has now been adapted for macOS. In 2022, similar phishing emails were sent out to Windows users. Mac users are also at risk, as attackers take advantage of the relationship between gaming companies (and content creators) and Mac users. Bloggers and content creators are lured by promises of lucrative contracts for them to promote games such as Black Desert Online on their platforms. A malicious LedgerLive copy An aspect of the campaign involves the use of a stealer which replaces the legitimate LedgerLive application with a malicious copy. Cybercriminals target LedgerLive because it is widely used by cryptocurrency users. Attackers can drain cryptocurrency wallets of victims by replacing the original app with a malicious version. The malicious clone is designed to mimic the appearance and functionality of the legitimate app, making it hard for users to detect a compromise. Moonlock Lab’s analysis of the infected files found strings that contained “Ledger”, confirming the malicious intention towards users’ cryptocurrency assets. The stealer is a variant of AMOS and retains key features such as grabbing files, hardware data, passwords, browser data, and keychain dump credentials. Darknet recruitment and attribution Crazy Evil has posted darknet recruitment ads asking individuals to join their team that uses this variant of macOS thief. The recruitment announcement outlines benefits such as reliable protection and exploiting different formats for different victims. The extent of the campaignInterestingly, Moonlock Lab identified an IP address linked to a governmental entity with high malware association and 93 files marked as malware. The IP address was hosting macOS-related files for the campaign that began on July 23, 2024. Mac users can protect their privacy by taking proactive steps. Double-check URLs before downloading files from any source, even trusted sources such as Google Ads and top search results. CleanMyMac with Moonlock Engine is a reliable anti-malware tool that can be used to scan your device regularly for malicious software. Update your software to protect yourself from known vulnerabilities. To avoid phishing, be careful with emails that offer contracts or deals. Gatekeeper and XProtect are built-in security tools on the Mac that provide extra protection from malicious software. They are enabled by default.