A new malware campaign has been observed that is delivering the macOS information stealer known as Atomic Stealer aka AMOS through a fake browser update chain tracked as “ClearFake”.
First discovered in August, the ClearFake social engineering campaign has gone through several upgrades, including the use of smart contracts to build its redirect mechanism. In September, researchers observed the campaign delivering Atomic Stealer via malicious ads.
“This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system,” Malwarebytes’ threat analyst Jérôme Segura noted in a blog post.
In the most recent campaign, clicking on a malicious link in phishing emails or on social media posts leads unsuspecting Mac users to a webpage impersonating Apple’s official download portal for Safari or a fake portal for Google’s browser.
Upon clicking on the “Download” button, a DMG file claiming to be a browser update is downloaded onto the machine. Victims are instructed on how to open the file which immediately runs commands after prompting for the administrative password.
Once the password is entered, Atomic Stealer gains full access to the victim’s Mac. It then proceeds to collect browsing data, cookies, passwords, credit card numbers and other sensitive data and sends it back to the threat actors behind ClearFake.
“Fake browser updates have been a common theme for Windows users for years, and yet up until now the threat actors didn’t expand onto MacOS in a consistent way. The popularity of stealers such as AMOS makes it quite easy to adapt the payload to different victims, with minor adjustments.
Because ClearFake has become one of the main social engineering campaigns recently, Mac users should pay particular attention to it,” Malwarebytes said.
