Atomic Stealer Sends Macs Malware By means of False Browser Downloads

Atomic Stealer malware advertises itself by means of ClearFake browser updates disguised as Google’s Chrome and Apple’s Safari.

Anti-malware software program supplier Malwarebytes has described a brand new variant of Atomic Stealer (also called AMOS), which is malware concentrating on Apple customers. The brand new malware variant, distributed by means of the faux browser replace supply mechanism ClearFake, advertises itself as updates for Apple’s Safari browser and Google’s Chrome browser. The malware is able to grabbing a person’s information and sending it to an attacker’s command and management server.

Jérôme Segura, senior director of risk intelligence at Malwarebytes, famous in his submit concerning the assault that ClearFake is actively being up to date and that its use of good contacts specifically makes it “probably the most prevalent and harmful social engineering schemes.”

“Faux browser updates have been a standard theme for Home windows customers for years, and but up till now the risk actors didn’t develop onto MacOS in a constant manner,” Segura identified.

Bounce to:

Timeline of Atomic Stealer malware

Atomic Stealer was first marketed as a malware supply possibility for risk actors in April 2023. Malwarebytes found in September 2023 that Atomic Stealer was concentrating on Mac customers by means of faux software program updates marketed on Google searches. Atomic Stealer was significantly suited to grabbing passwords and Apple keychain codes used for bitcoin wallets. Atomic Stealer may elevate bank card info.

Whereas Atomic Stealer had been concentrating on Mac customers for a while, ClearFake was traditionally used solely towards Home windows machines. That is outstanding as a result of ClearFake is likely one of the first Home windows social campaigns made for Home windows that then expanded to not solely a distinct geolocation however a distinct working system. Safety researcher Randy McEoin found ClearFake in August 2023.

Safety researcher Ankit Anubhav identified on Nov. 17 that, whereas ClearFake had been seen concentrating on Home windows, the Mac model is a brand new improvement.

How ClearFake poses as Safari and Chrome updates

ClearFake is a sequence of malicious web sites that purport to supply updates for Safari (Determine A) and Chrome (Determine B). Potential victims will see websites posing as authentic browser updates.

Determine A

Fake browser download.
The malicious faux Safari web page will be recognized as spam as a result of its odd spacing and use of older icons. Picture: Malwarebytes

Determine B

Fake browser update.
The faux Chrome replace web page is extra modern. Picture: Malwarebytes

Then, the ClearFake rip-off will ship Atomic Stealer. Victims who click on by means of to the false updates will obtain a .dmg file that may steal passwords and extract recordsdata.

SEE: Some risk actors have used Apple devices for surveillance during the last yr, and it’s a pattern which will proceed, in accordance with Kaspersky. (TechRepublic) 

Malwarebytes discovered that the next malicious domains are related to this risk:

  • Longlakeweb [dot] com
  • Chalomannoakhali [dot] com
  • Jaminzaidad [dot] cm
  • Royaltrustrbc [dot] com

The AMOS stealer will be recognized utilizing the next indicators:

  • 4cb531bd83a1ebf4061c98f799cdc2922059aff1a49939d427054a556e89f464
  • be634e786d5d01b91f46efd63e8d71f79b423bfb2d23459e5060a9532b4dcc7b

The right way to shield towards this malware risk

Safety admins or IT execs ought to maintain the next in thoughts to guard staff from ClearFake and Atomic Stealer:

  • Preserve your group’s net safety instruments updated.
  • Remind staff to not obtain functions from untrusted websites. Mac customers ought to obtain functions solely from the Mac App Retailer or company-approved places.
  • Talk clearly about anticipated browser updates and different software updates.

Source link