Fake Browser Updates Targeting Mac Systems With Infostealer

We Keep you Connected

Fake Browser Updates Targeting Mac Systems With Infostealer

A pervasive ClearFake campaign targeting Windows systems with Atomic Stealer has expanded its social engineering scams to MacOS users, analysts warn.
November 22, 2023
A widely popular social engineering campaign previously only targeting Windows systems has expanded and is now using fake browser updates to distribute Atomic Stealer, a dangerous information stealer, to macOS systems.
Experts say this could be the first time they've observed a dominant social engineering scam previously aimed specifically at Windows make the shift to macOS.
The malware, also referred to as AMOS, surfaced earlier this year on a dedicated Telegram channel. Criminals, who can rent the malware on a subscription basis for about $1,000 a month, have used a variety of means to distribute the malware since then. The most common tactic has been to distribute the malware via installers for popular apps or via purportedly cracked versions of Microsoft Office and other widely used applications.
This week, researchers from Malwarebytes reported observing a threat actor distributing Atomic Stealer via hundreds of compromised websites that serve up fake updates for Chrome and Safari browsers. Another security researcher, Randy McEoin, first spotted the compromised websites in August and dubbed the malware for generating the fake browser updates as "ClearFake."
At the time, McEoin described ClearFake as malware that initially loads a page normally when a user visits a compromised website, but then replaces it with a page prompting the user to update their browser. Mac users who respond to the prompt end up downloading Atomic Stealer on their systems, the security researcher noted.
"This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system," Malwarebytes researcher Jerome Segura said in a blog this week.
According to Segura, the Safari template that a ClearFake-compromised website serves up is identical to the one on Apple's official website and is available in multiple languages. There is also a template for Google Chrome for Mac users that is very similar to the one used for Windows users, Segura said.
The payload for Mac users is a disk image (DMG) file masquerading as a browser update with instructions for users on how to open it. If opened, the file immediately prompts for the admin password and then runs commands for stealing data from the system. Malwarebytes researchers observed commands for stealing passwords and grabbing different files from a compromised system and shipping them off to a remote command-and-control server.
SentinelOne, which is tracking the malware, has described Atomic Stealer as capable of stealing account passwords, browser data, session cookies, and cryptocurrency wallets. The security vendor reported seeing as many as 300 subscribers for Atomic Stealer on the author's Telegram channel back in May 2023. Its analysis of the malware showed there were at least two versions of Atomic Stealer, one of which was hidden in a game installer. SentinelOne found that version of the malware seemingly designed specifically to steal information from gamers and cryptocurrency users.
One behavior of Atomic Stealer that SentinelOne highlighted in its report was the lack of any attempt by the malware to gain persistence on a compromised machine. Instead, the malware appeared to rely on what SentinelOne described as a "one-hit smash and grab methodology" via AppleScript spoofing.
"Fake browser updates have been a common theme for Windows users for years," Segura noted. Yet, until the ClearFake campaign, threat actors have not used the vector to distribute macOS malware. "The popularity of stealers such as AMOS makes it quite easy to adapt the payload to different victims, with minor adjustments," he said.
The new malware and campaign are only the latest manifestation of what some have reported as greater threat actor interest in macOS systems. In August, Accenture reported a 1,000% increase in threat actors targeting the operating system since 2019. Among them was one attacker who offered up to $1 million for a working exploit for macOS, Accenture found. "Of great concern is the emergence of established actors with positive reputations and large budgets looking for exploits and other methods which would enable them to bypass macOS security functions," Accenture said.
Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication Methods
Modern Supply Chain Security: Integrated, Interconnected, and Context-Driven
How to Combat the Latest Cloud Security Threats
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and Phishing
SecOps & DevSecOps in the Cloud
Cybersecurity Outlook 2024 – A Dark Reading December 14 Event
Black Hat Europe – December 4-7 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
The State of Supply Chain Threats
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
The Cyber Threat Impact of COVID-19 to Global Business
Build a Case for a Password Manager
The Rise of Extended Detection & Response
Cybersecurity Outlook 2024 – A Dark Reading December 14 Event
Black Hat Europe – December 4-7 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Copyright © 2023 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.