Atomic Stealer malware strikes macOS via fake browser updates

Trending 2 months ago

macOS in a storm

The 'ClearFake' affected browser amend attack has broadcast to macOS, targeting Apple computers with Atomic Stealer (AMOS) malware.

The ClearFake campaign started in July this year to ambition Windows users with affected Chrome amend prompts that appear on breached sites via JavaScript injections. 

In October 2023, Guardio Labs discovered a cogent development for the awful operation, which leveraged Binance Smart Chain affairs to adumbrate its awful scripts acknowledging the infection alternation in the blockchain.

Via this technique, dubbed "EtherHiding," the operators broadcast Windows-targeting payloads, including information-stealing malware like RedLine, Amadey, and Lumma.

Expanding to macOS

On November 17, 2023, blackmail analyst Ankit Anubhav reported that ClearFake had started blame DMG payloads to macOS users visiting compromised websites.

A Malwarebytes report from beforehand this anniversary confirms this development, advertisement that these attacks apply a Safari amend allurement alternating with the accepted Chrome overlay.

Fake amend bury targeting macOS usersFake amend bury targeting macOS users
Source: Malwarebytes

The burden alone in these cases is Atomic, an info-stealing malware awash to cybercriminals via Telegram channels for $1,000/month.

Atomic actor bearded as a Safari updateAtomic actor bearded as a Safari update
Source: Malwarebytes

Atomic was apparent in April 2023 by Trellix and Cyble, who appear that it attempts to abduct passwords, cookies, and acclaim cards stored in browsers, bounded files, abstracts from over 50 cryptocurrency extensions, and keychain passwords.

The keychain countersign is macOS' complete countersign administrator that holds WiFi passwords, website logins, acclaim agenda data, and added encrypted information, so its accommodation can aftereffect in a cogent aperture for the victim.

Malwarebyte's assay of the payload's strings reveals a alternation of commands for extracting acute abstracts like passwords and targeting certificate files, images, crypto wallet files, and keys.

String of commands in Atomic's codeString of commands in Atomic's code
Source: Malwarebytes

The ClearFake attack now targeting Macs is a admonition for Apple users to strengthen their aegis and be accurate with downloads, abnormally prompts to amend your browser back visiting websites.

Even afterwards several months afterward the analysis and letters on Atomic, the burden is undetected by roughly 50% of AV engines on VirusTotal.

Furthermore, all Safari browser updates will be broadcast through macOS's Software Update, or for added browsers, aural the browser itself.

Therefore, if you see any prompts to download browser updates on websites, they should be ignored.