Hackers have expanded their social engineering campaign [3], known as ClearFake [3], to target macOS systems in addition to Windows systems. This campaign involves creating malicious ads on Google that lead to landing pages impersonating major tech brands [7]. Victims who visit these websites may unknowingly download malware, mistaking them for legitimate sites [7]. The hackers compromise websites and create pop-up ads that mimic browser update prompts [7], convincing users to update their browsers [7]. Once the victims run the program [7], the malware steals sensitive data such as passwords [7], user information [7] [8], and cryptocurrency wallets [2]. This campaign utilizes fake browser updates to distribute a dangerous information stealer called Atomic Stealer [8], specifically designed for macOS devices [6].
Description
A social engineering campaign called ClearFake, previously focused on targeting Windows systems, has now expanded its target to include macOS systems. This campaign involves hackers creating malicious ads on Google to promote landing pages that impersonate major tech brands [7]. Victims who visit these websites may mistake them for legitimate ones and unknowingly download the malware [7]. The hackers compromise websites and create pop-up ads that mimic browser update prompts [7], convincing users to update their browsers [7]. Once the victims run the program [7], the malware steals data such as passwords [7], autofills [7], user information [7] [8], wallets [2] [7], browser cookies [7], and keychain data [7]. This campaign utilizes fake browser updates to distribute a dangerous information stealer known as Atomic Stealer [8], also referred to as AMOS. Atomic Stealer is specifically designed to target macOS devices and is a commercial malware that can steal data from web browsers and cryptocurrency wallets. Mac users are being tricked into downloading this malware through these fake updates [6]. In September 2023 [2], a campaign was discovered that tricked macOS users searching for a financial charting platform into downloading the malware through malicious Google ads [2]. The malware was discovered earlier this year on a Telegram channel where it is being sold for $1,000 per month. Criminals have been distributing the malware through various methods [8], including installers for popular apps and cracked versions of Microsoft Office [8]. Hackers are now using compromised websites to spread the malware in DMG file format and have recently started using fake browser update notifications [6], using forged templates for both Safari and Google Chrome browsers [6]. This marks the first time that a social engineering scam has transitioned from Windows to macOS [8]. The malware is capable of stealing a user’s data and sending it to an attacker’s command and control server [5]. ClearFake is an actively updated social engineering scheme that uses smart contacts. This expansion of fake browser updates onto macOS is a significant development and highlights the continued use of fake installer files and malicious advertisements for the propagation of stealer malware. Malwarebytes’ analysis further emphasizes the significance of this development [1].
Conclusion
The expansion of the ClearFake social engineering campaign to target macOS systems is a significant development in the world of cyber threats. It highlights the growing sophistication and adaptability of hackers in their attempts to compromise user data. To protect against this threat, users should only update their browsers through official channels and avoid downloading updates from suspicious websites [3]. Using antivirus software can also provide additional protection [3]. It is crucial for Mac users to be aware that they are not immune to malware attacks and to take precautions to safeguard their devices. The emergence of the Atomic macOS Stealer (AMOS) as a growing threat underscores the need for continued vigilance. This malware targets Apple users and is being distributed through various means [5], including cracked software downloads and impersonation of legitimate websites [4]. The use of fake browser updates is a particularly concerning tactic, as it can easily deceive unsuspecting users. As technology continues to evolve, it is essential for individuals and organizations to stay informed about the latest threats and implement effective security measures to mitigate risks.
References
[1] https://cert.bournemouth.ac.uk/clearfake-campaign-expands-to-target-mac-systems-with-atomic-stealer/
[2] https://owasp.or.id/2023/11/22/clearfake-campaign-expands-to-deliver-atomic-stealer-on-macs-systems/
[3] https://news.yahoo.com/hackers-now-spreading-mac-malware-001815770.html
[4] https://www.mactech.com/2023/11/22/heres-how-to-avoid-the-threat-of-the-updated-atomic-macos-stealer/
[5] https://www.techrepublic.com/article/atomic-stealer-clearfake-mac-false-browser-download/
[6] https://heimdalsecurity.com/blog/atomic-stealer-malware/
[7] https://www.techradar.com/pro/security/mac-users-are-being-targeted-with-fake-browser-updates-that-spread-malware
[8] https://www.darkreading.com/attacks-breaches/threat-actor-using-fake-browser-updates-to-distribute-mac-infostealer
