In an interesting new development, AMOS is now being delivered to Mac users via a fake browser update chain tracked as ‘ClearFake’
ClearFake is a newer malware campaign that leverages compromised websites to distribute fake browser updates. It was originally discovered by Randy McEoin in August and has since gone through a number of upgrades
https://rmceoin.github.io/malware-analysis/clearfake/
including the use of smart contracts to build its redirect mechanism
https://krebsonsecurity.com/2023/10/the-fake-browser-update-scam-gets-a-makeover/
making it one of the most prevalent and dangerous social engineering schemes.
On Nov 17, security researcher Ankit Anubhav observed that ClearFake was distributed to Mac users as well with a corresponding payload:
https://infosec.exchange/@ankit_anubhav/111425827558836814
Atomic Stealer, also known as AMOS, is a popular stealer for Mac OS. Back in September, malwarebytes described how malicious ads were tricking victims into downloading this piece of malware under the disguise of a popular application
The Safari template mimics the official Apple website and is available in different languages:
Since Google Chrome is also popular on Macs, there is a template for it which closely resembles the one used for Windows users:
Fake browser updates have been a common theme for Windows users for years, and yet up until now the threat actors didn’t expand onto MacOS in a consistent way.
ClearFake has become one of the main social engineering campaigns recently, Mac users should pay particular attention to it.
---- Malwarebytes
