November 25, 2023 at 05:08PM
The ‘ClearFake’ campaign, initially targeting Windows users with fake Chrome update prompts, has now expanded to Macs. The campaign utilizes Atomic Stealer (AMOS) malware to infect macOS computers. The malware disguises itself as a Safari update and attempts to steal sensitive information such as passwords, credit card details, and cryptocurrency data. It is important for Apple users to enhance their security and exercise caution when downloading updates from websites, as legitimate updates are generally distributed through official channels.
After reviewing the meeting notes, it is clear that the ‘ClearFake’ fake browser update campaign has expanded to macOS and is now targeting Apple computers with the Atomic Stealer (AMOS) malware. This campaign initially started in July of this year, targeting Windows users with fake Chrome update prompts through JavaScript injections on breached websites.
In October 2023, Guardio Labs discovered that the campaign had made significant developments using Binance Smart Chain contracts to hide malicious scripts in the blockchain. These scripts were used to distribute Windows-targeting payloads, including information-stealing malware such as RedLine, Amadey, and Lumma.
On November 17, 2023, it was reported by threat analyst Ankit Anubhav that ClearFake had started pushing DMG payloads to macOS users who visited compromised websites. This was confirmed by a recent Malwarebytes report, which stated that these attacks use a Safari update bait along with the standard Chrome overlay.
The payload dropped in these macOS attacks is known as Atomic, an info-stealing malware that is sold to cybercriminals via Telegram channels for $1,000 per month. Atomic was discovered in April 2023 and is designed to steal passwords, cookies, credit cards, data from cryptocurrency extensions, and keychain passwords. Compromising the keychain password can lead to significant breaches for victims.
Malwarebytes’ examination of the payload’s strings reveals a series of commands for extracting sensitive data and targeting various types of files. It is worth noting that even several months after its discovery, approximately 50% of antivirus engines on VirusTotal are still unable to detect Atomic.
It is essential for Apple users to strengthen their security measures and exercise caution when downloading files, especially when prompted to update their browser while visiting websites. It is important to remember that legitimate Safari browser updates will be distributed through macOS’s Software Update or within the browser itself. Any prompts to download browser updates on websites should be ignored.
Please let me know if you require any further information or if there are any specific actions you would like to take based on this information.