Threat actors are delivering Atomic Stealer malware, also known as AMOS, to Mac users via a fake browser update chain tracked as "ClearFake", a new report has found. According to the cybersecurity company Malwarebytes, ClearFake is a newer malware campaign that leverages compromised websites to distribute fake browser updates. "With a growing list of compromised sites at their disposal, the threat actors are able to reach out to a wider audience, stealing credentials and files of interest that can be monetised immediately or repurposed for additional attacks," the researchers said.
According to the report, these attacks utilise a Safari update bait along with the standard Chrome overlay. "The payload is made for Mac users, a DMG file purporting to be a Safari or Chrome update. Victims are instructed on how to open the file which immediately runs commands after prompting for the administrative password," according to the researchers.
In a file accessed by the researchers, they looked at the strings from the malicious application and saw those commands, which include password and file-grabbing capabilities. In the same file, they found the malware’s command and control server where the stolen data was sent to. "Because ClearFake has become one of the main social engineering campaigns recently, Mac users should pay particular attention to it. We recommend leveraging web protection tools to block the malicious infrastructure associated with this threat actor," the researchers suggested.