430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

ClearFake campaign spreads macOS AMOS information stealer

Threat actors spread Atomic Stealer (AMOS) macOS information stealer via a bogus web browser update as part of the ClearFake campaign. Atomic Stealer (AMOS) macOS information stealer is now being delivered via a fake browser update chain tracked as ClearFake, Malwarebytes researchers warn. The malware focuses on macOS, designed to pilfer sensitive information from the […]

Clearfake AMOS macOS malware

Threat actors spread Atomic Stealer (AMOS) macOS information stealer via a bogus web browser update as part of the ClearFake campaign.

Atomic Stealer (AMOS) macOS information stealer is now being delivered via a fake browser update chain tracked as ClearFake, Malwarebytes researchers warn.

The malware focuses on macOS, designed to pilfer sensitive information from the compromised systems.

Researchers noted that the authors continually enhance the Atomic Stealer.

The Atomic macOS Stealer lets operators steal diverse information from infected machines. This includes Keychain passwords, system details, desktop files, and macOS passwords.

The malware is able to steal data from multiple browsers, including auto-fills, passwords, cookies, wallets, and credit card information. AMOS can target multiple cryptowallets such as Electrum, Binance, Exodus, Atomic, and Coinomi.

In ClearFake campaign, threat actors are relying on a growing list of compromised sites to reach out a wider audience.

“ClearFake is a newer malware campaign that leverages compromised websites to distribute fake browser updates. It was originally discovered by Randy McEoin in August and has since gone through a number of upgrades, including the use of smart contracts to build its redirect mechanism, making it one of the most prevalent and dangerous social engineering schemes.” reads the analysis published by Malwarebytes. “On November 17, security researcher Ankit Anubhav observed that ClearFake was distributed to Mac users as well with a corresponding payload.”

On November 17, security researcher Ankit Anubhav first noticed that the Clearfake campaign was also distributing Mac malware.

Threat actors used websites mimicking the official Apple Safari page website and the Chrome page.

Clearfake AMOS macOS malware

Upon clicking the “update [browser]” button, victims receive a DMG file that claims to be a Safari or Chrome update.

The instructions guide victims to open the file. It prompts for the admin password and executes commands immediately after.

The payload targets Mac users and appears as a DMG file that mimics a Safari or Chrome update.

The instructions guide victims to open the file, and it promptly runs commands after requesting the administrative password.

Experts were able to find the malware’s command and control server by analyzing the code of the payload.

“Fake browser updates have been a common theme for Windows users for years, and yet up until now the threat actors didn’t expand onto MacOS in a consistent way. The popularity of stealers such as AMOS makes it quite easy to adapt the payload to different victims, with minor adjustments.” concludes the report. “Because ClearFake has become one of the main social engineering campaigns recently, Mac users should pay particular attention to it.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Atomic Stealer (AMOS))