The scheme known as ClearFake, previously linked to Windows systems, has now broadened its reach to target macOS devices, introducing the Atomic Stealer malware through deceptive web browser update chains.
Jérôme Segura from Malwarebytes highlighted this expansion as a significant shift in social engineering campaigns, branching out not just across different geographical locations but also targeting diverse operating systems. Atomic Stealer, also recognized as AMOS, emerged in April 2023 as a commercially available malware, sold via subscription at $1,000 per month. It specializes in extracting data from web browsers and cryptocurrency wallets. By September 2023, Malwarebytes had detailed an Atomic Stealer campaign exploiting malicious Google ads, deceiving macOS users seeking a financial charting platform named TradingView into unwittingly downloading the malware.
Meanwhile, ClearFake operates as a fledgling malware distribution network, utilizing compromised WordPress sites to present phony web browser updates, aiming to deploy stealers and other malicious software.
This initiative joins other threat actors such as TA569 (aka SocGholish), RogueRaticate (FakeSG), ZPHP (SmartApeSG), and EtherHiding, known for employing fake browser update themes. As of November 2023, the ClearFake campaign has expanded its scope to target macOS systems using a nearly identical infection chain, exploiting compromised websites to deliver Atomic Stealer disguised as a DMG file.
This development underscores the persistent reliance of stealer malware on fake or corrupted installer files masquerading as legitimate software. They spread via malicious advertisements, search engine redirects to harmful websites, drive-by downloads, phishing attempts, and SEO manipulation to reach new victims.
Segura noted, “The popularity of stealers like AMOS facilitates adapting payloads to various victims with minor alterations.”
Source – https://thehackernews.com/
