Atomic Stealer Malware Now Targets Mac Users Through Fake Browser Updates

Atomic Stealer, also known as AMOS, is a popular stealer for Mac OS. In September, security researchers from Malwarebytes described how malicious ads were tricking victims into downloading this piece of malware under the disguise of a popular application.

Now, AMOS is being delivered to Mac users via a fake browser update chain tracked as ‘ClearFake’. This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating systems.

The latest vector for Atomic Stealer’s distribution is a campaign dubbed ‘ClearFake’. Initially, a tactic primarily used against Windows users, ClearFake has now extended its reach, targeting Mac users through a fake browser update chain. This marks a significant shift in social engineering campaigns, expanding not only in geographical scope but also across operating systems.

ClearFake operates by leveraging compromised websites to distribute phony browser updates. Discovered by Randy McEoin in August, this campaign has undergone several enhancements, including the adoption of smart contracts for its redirect mechanism. It has quickly become one of the most prevalent and dangerous social engineering schemes.

On November 17, security researcher Ankit Anubhav noted that Mac users were now being targeted by ClearFake, with a tailored payload. This payload, a DMG file posing as a Safari or Chrome update, is crafted to deceive Mac users. Once the file is opened, and administrative permissions granted, it executes commands that enable the theft of passwords and files.

ClearFake employs a high level of deception, using templates that mimic official websites. For Safari, the template closely resembles Apple’s official site, available in various languages. For Google Chrome users on Mac, the template is akin to the one used for Windows users, maintaining a consistent deceptive appearance.

ClearFake

An analysis of the malicious application reveals strings that indicate its capabilities, including password and file grabbing. Additionally, the malware’s command and control server, where the stolen data is sent, can be identified within the same file.

Historically, fake browser updates have predominantly been a threat to Windows users. However, the popularity of stealers like AMOS has made adapting payloads to different operating systems, including MacOS, more feasible for threat actors. This shift signals an increase in the threat landscape for Mac users, who might have previously considered their systems less susceptible to such attacks.

Given the rise of ClearFake as a primary social engineering campaign, Mac users are advised to exercise increased vigilance. Malwarebytes recommends the use of web protection tools to block the malicious infrastructure associated with this threat actor. As the tactics of cybercriminals evolve, staying informed and employing robust cybersecurity measures are key to safeguarding against such sophisticated threats.