November 22, 2023 at 02:24AM
The macOS information stealer, Atomic, is now being distributed through a malicious web browser update chain called ClearFake. This marks the first time a social engineering campaign intended for Windows has expanded to macOS. Atomic Stealer is a commercial malware that steals data from web browsers and cryptocurrency wallets. ClearFake is a new malware operation that uses compromised WordPress sites to deliver stealers and other malware through fake browser update notifications. Another stealer called LummaC2 has introduced a feature to extract persistent Google cookies, allowing hackers to infiltrate accounts even after a password change.
Key takeaways from the meeting notes:
1. Atomic Stealer is a macOS information stealer that is being delivered to targets via a bogus web browser update chain called ClearFake. This campaign marks the first time a social engineering campaign that was previously reserved for Windows is branching out to macOS.
2. Atomic Stealer is a commercial malware family sold on a subscription basis for $1,000 per month. It can steal data from web browsers and cryptocurrency wallets.
3. ClearFake is a nascent malware distribution operation that uses compromised WordPress sites to serve fraudulent web browser update notices. It aims to deploy stealers and other malware.
4. The ClearFake campaign has expanded to target macOS systems, delivering Atomic Stealer in the form of a DMG file via hacked websites.
5. Stealer malware continues to rely on fake or poisoned installer files for legitimate software through various malicious techniques such as advertisements, search engine redirects, drive-by downloads, phishing, and SEO poisoning.
6. LummaC2 stealer has updated its anti-sandbox technique and can gather persistent Google Account cookies from compromised computers. These cookies can be used for cybercriminal activities even if the owner changes their password, posing a significant security risk.
7. The persistence and potential impact of these cookies could lead to a higher number of Google services being hacked and cause larger security problems.
8. To stay updated with exclusive content, follow the company on Twitter and LinkedIn.