Malwarebytes on the 21st of November, 2023, reported a new threat targeting Mac users. Hackers have been seen spreading a malware called Atomic Stealer, also known as Amos Stealer, disguised as a browser update. The Atomic Stealer malware, is capable of stealing sensitive information from its victims.
Notably, hackers have now cleverly repurposed a social engineering campaign, originally designed for Windows, to infect Macs. They use compromised websites to distribute fake browser updates in a campaign called ClearFake. This campaign, previously reported by fixitgearware, uses smart contracts to build a redirect mechanism that leads potential victims to malicious sites.
Atomic Stealer Malware:
Atomic Stealer aka Amos Stealer malware, is distributed through deceptive links with malicious intent. The hackers target Mac users, with the sole aim to obtain sensitive information.
The unsuspecting victims, receive a phishing email or click on links via social media posts, which then redirect them to a malicious page; urging them to update or download a Safari browser. In a new discovery, the hackers have have been noticed, to developed a Chrome-based version for Mac, as well.
Clearly, these pages displaying the browser updates, are impersonating the legitimate organizations such as Apple, and Google.
When the victims click the download button, a “*.dmg” file (a file format for Mac-based applications) is downloaded to their computer. They are then asked to install the file and provide their administrative password during the installation. Once this is done, sensitive information, including credit card details and other vital credentials, are exfiltrated to the hackers’ C2 server (Command-n-Control).
ClearFake Malware Campaign Targeting MAC users:
The ClearFake malware campaign was initially detected by Randy McEoin in August 2023. Since then, the threat actors responsible for the malware design, have done a lot of obfuscation, which involves the use of smart contracts.
However, in November, Ankit Anubhave detected a variant of this malware for Mac-based operating systems, which he disclosed via X (former twitter), on the 17th of November, 2023.
Indicators of Compromise (IoCs):
Malwarebytes researchers have subsequently, listed IoCs domains which are telltale signs that a user may have been infected with the Atomic Stealer. These include:
- longlakeweb[.]com
- chalomannoakhali[.]com
- jaminzaidad[.]com
- royaltrustrbc[.]com
Furthermore, the Atomic Stealer malware signatures include the following hashes:
- 4cb531bd83a1ebf4061c98f799cdc2922059aff1a49939d427054a556e89f464
- be634e786d5d01b91f46efd63e8d71f79b423bfb2d23459e5060a9532b4dcc7b
And the attackers’ C2 Server (Command-and-Control) server is listed as the IP address:
- 194.169.175[.]117
Mitigation:
To protect yourself from the Atomic Stealer, fixitgearware security advises the following measures:
- Always download and update your software, not just browsers, from verified and trusted sources.
- Use trusted antivirus software as an additional layer of protection. This can detect and protect from redirects or malicious URLs when users are on the internet.
- Verify links when using a search engine, by checking for tell signs which includes “Typo-squatting” a common social engineering tricks, hackers now adopt, to create similar domains of high profile organizations with a missing character.
Remember to always stay safe, and be vigilant 🛡️!
Put your comments below in the comment section on your thoughts about this.