A malvertising campaign targets macOS users with a fake Microsoft Teams installer, delivering Atomic Stealer. The attack uses a multi-stage chain with profiling, cloaking domains, and a decoy site to exfiltrate data from infected systems. #AtomicStealer #voipfaqs #teamsbusiness #locallyhyped #MicrosoftTeams #Poseidon #OSXRodStealer
Keypoints
- Malvertising campaign lures Mac users with a fraudulent Microsoft Teams installer.
- Ad traffic may be paid by a compromised Google ad account and can redirect to legitimate-appearing pages before delivering malware.
- The malicious chain uses smart profiling and cloaking domains to separate redirects from the final malicious landing page.
- The cloaking domain is voipfaqs.com and the decoy site is teamsbusiness.org.
- The payload is hosted on locallyhyped.com and delivered as MicrosoftTeams_v.(xx).dmg, with users prompted to bypass protections by right-clicking.
- Post-install, Atomic Stealer exfiltrates data via a single encoded POST to 147.45.43.136.
MITRE Techniques
- [T1189] Drive-by Compromise β Malvertising redirects visitors to a decoy page and delivers a unique payload to each visitor. βEach click is first profiled (smart[.]link) to ensure only real people (not bots, VPNs) proceed, followed by a cloaking domain (voipfaqs[.]com) separating the initial redirect from the malicious landing (decoy) page (teamsbusiness[.]org).β
- [T1036] Masquerading β The display URL shows microsoft.com, but βit has nothing to do with Microsoft at all.β
- [T1204] User Execution β The user is instructed to βenter your password and grant access to the file system.β
- [T1555.003] Credentials in OS Credential Store (Keychain) β The malware aims βto grab keychain passwords and important files.β
- [T1041] Exfiltration Over C2 Channel β Data is exfiltrated via a single POST to β147.45.43[.]136β with the content encoded.
Indicators of Compromise
- [Domain] voipfaqs.com β cloaking domain used to separate initial redirect from landing
- [Domain] teamsbusiness.org β decoy site
- [URL] locallyhyped.com/kurkum/script_66902619887998[.]92077775[.]php β download URL
- [File name] MicrosoftTeams_v.(xx).dmg β downloaded installer payload
- [File hash] 7120703c25575607c396391964814c0bd10811db47957750e11b97b9f3c36b5d β Atomic Stealer payload
- [IP] 147.45.43.136 β Command and control server