Hackers often mimic popular tools like Microsoft Teams to exploit people’s trust and familiarity with these applications.
This strategy increases the probability of users’ subsequent downloading and installation of this malicious software, consequently permitting attackers to access systems, steal critical information, and launch other attacks without being detected immediately.
Cybersecurity researchers at MalwareBytes recently discovered fake Microsoft Teams that deliver macOS malware.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
Fake macOS Malware
The Atomic Stealer malware, disguised as a Microsoft Teams ad, is the latest malvertising campaign aimed at Mac users. It comes just after the recent appearance of the Poseidon (OSX.RodStealer) threat, which used similar strategies.
It lasted for several days and involved several sophisticated filter methods to avoid detection.
Although the advertisement displays Microsoft[.]com, it does not concern Microsoft, and it comes from an advertiser based in Hong Kong who has many unconnected ads.
This indicates the continuing rivalry among MacOS stealers and their use of popular communication tools to spread malware.
Users are targeted by a crafty Microsoft Teams ad that has a complicated attack chain with user profiling, cloaking, and a decoy page. The victim is then tricked into downloading a specifically created malware that appears to be Teams.
The installation process mandates human intervention to get through Apple’s defenses. Atomic Stealer uses this breach to enter the file system and steal keychain passwords.
The data loss happens in one encoded POST request sent to the remote server without being noticed by the user.
Malwarebytes report states that threat actors’ distribution campaigns are becoming more intense, which increases the risks associated with downloading apps through search engines.
Similarly, users are exposed to malvertising in sponsored results and SEO poisoning on hacked sites.
Consequently, it is advisable to use browser protection tools to prevent advertisements and malicious websites from appearing, as this may prevent redirections to harmful installers even before any downloads happen.
IoCs (Indicators of Compromise)
Cloaking domain:-
Decoy site:-
Download URL:-
- locallyhyped[.]com/kurkum/script_66902619887998[.]92077775[.]PHP
Atomic Stealer payload:-
- 7120703c25575607c396391964814c0bd10811db47957750e11b97b9f3c36b5d
Atomic Stealer C2:-
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo