BlogsGoogle Ads Malware Campaign Targets Homebrew Users

Google Ads Malware Campaign Targets Homebrew Users

Critical analysis of sophisticated malvertising campaign using fake Homebrew sites to distribute AmosStealer malware, targeting Mac and Linux users through Google Ads with $1000/month criminal subscriptions

Overview

A sophisticated malvertising campaign is targeting Mac and Linux users through compromised Google Ads featuring a legitimate-looking Homebrew package manager site. The campaign deploys AmosStealer malware at $1,000/month subscription rates, focusing on stealing credentials, browser data, and cryptocurrency wallets

Whom it may concern

  • DevOps and System Administrators
  • Mac and Linux users
  • Package management system operators
  • Cryptocurrency wallet holders

Key Findings

  1. Malicious ads mimic legitimate 'brew.sh' URL using 'brewe.sh' domain
  1. AmosStealer targets 50+ cryptocurrency extensions
  1. Google has removed identified malicious ads but campaign likely continues
  1. Limited project-side prevention capability due to ad platform constraints

Risk Analysis

  • Probability: High (8/10)
  • Impact: Severe
  • Attack Vector: Social Engineering via trusted source impersonation
  • Asset Exposure: Credentials, Financial Data, Crypto Assets
  • Detection Rate: Medium to High due to URL discrepancy

Action Items

  1. Implement URL verification procedures before software installation
  1. Bookmark official project websites for regular access
  1. Disable auto-click on search results
  1. Deploy endpoint protection with URL filtering
  1. Implement 2FA on all cryptocurrency wallets

Sources

  • [Bleeping Computer](https://www.bleepingcomputer.com/news/security/fake-homebrew-google-ads-target-mac-users-with-malware/)
Share this article

Stay up to date

Join my community and receive the latest risk news and trends.

ResourcesLegal