Hackers are running malicious Google Ads campaigns targeting victims interested in the new Arc browser, with the goal of installing information-stealing malware on their Mac devices.
Cybersecurity researchers at Malwarebytes have detected a new campaign on the Google Ads network, apparently promoting the new (and quite popular) Arc browser.
The campaign belongs to 'Coles & Co' and is linked to the domain name archhost[.]org. However, people who click on the link are redirected to arc-download[.]com, a completely fraudulent site that offers Arc only for Mac.
public relations movement
At first glance, the downloaded DMG file behaves just like a legitimate file, except for the right-click-to-open trick, which bypasses security protections.
What victims actually end up with is Poseidon, a variant of Atomic Stealer (AMOS), a well-known information stealer capable of extracting all kinds of information from target devices, from sensitive files to cryptocurrency wallet data, stored passwords, and browser data.
There seems to be a lot of code overlap between AMOS and Poseidon, but their creator, a person with the alias Rodrigo4, said they needed a unique brand to be better recognized in the underground community.
“Simply put, people didn't know who we were,” the developer said in a recent post.
Since the Google Ads network can display ads at the top of search engine results pages, the possibility of introducing malware dramatically increases your chances of success.
To run a malvertising campaign, threat actors steal people's Google business accounts, verified to run ad campaigns and have a credit card linked for payments. Then, they create an ad campaign that promotes fraudulent websites to the top of search engine results pages. Recently, cybersecurity experts began warning users to be careful when searching for things and to type in known addresses instead of simply searching for them on Google.