Researchers in the field of cybersecurity have recently discovered an updated version of a well-known macOS information stealer called Atomic Stealer, also known as AMOS [2]. This new version incorporates payload encryption as a means to bypass detection rules. The initial appearance of Atomic Stealer was in April 2023, and it is now being distributed to Mac users through a deceptive browser update chain called ‘ClearFake’. This campaign utilizes social engineering tactics to target Mac users and steal their credentials and files of interest.
Description
The developers of Atomic Stealer have introduced payload encryption to evade detection rules [1]. This malware is now being delivered to Mac users through a deceptive browser update chain known as ‘ClearFake’. ClearFake utilizes compromised websites to distribute fake browser updates [2], often posing as updates for popular browsers like Safari or Chrome. Victims are prompted to enter their administrative password, allowing the stolen data to be sent to a command and control server. Mac users are advised to exercise caution when encountering ClearFake and to utilize web protection tools to block the associated malicious infrastructure. It is crucial for Mac users to download software exclusively from trusted sources to avoid falling victim to these types of threats. Fortunately, users of Malwarebytes are protected against Atomic Stealer [2].
Conclusion
The discovery of an updated version of Atomic Stealer, known as AMOS [2], highlights the ongoing efforts of cybercriminals to exploit Mac users. By incorporating payload encryption and utilizing a deceptive browser update chain called ClearFake, these attackers are able to bypass detection rules and steal sensitive information. Mac users should remain vigilant and take precautions such as using web protection tools and downloading software exclusively from trusted sources. The ongoing development of such malware underscores the need for continued research and innovation in the field of cybersecurity to protect users from evolving threats.
References
[1] https://thehackernews.com/2024/01/atomic-stealer-gets-upgrade-targeting.html
[2] https://www.redpacketsecurity.com/atomic-stealer-distributed-to-mac-users-via-fake-browser-updates-5/
