ClearFake campaign spreads macOS AMOS information stealer

Pierluigi Paganini November 23, 2023

Threat actors spread Atomic Stealer (AMOS) macOS information stealer via a bogus web browser update as part of the ClearFake campaign.

Atomic Stealer (AMOS) macOS information stealer is now being delivered via a fake browser update chain tracked as ClearFake, Malwarebytes researchers warn.

The malware focuses on macOS, designed to pilfer sensitive information from the compromised systems.

Researchers noted that the authors continually enhance the Atomic Stealer.

The Atomic macOS Stealer lets operators steal diverse information from infected machines. This includes Keychain passwords, system details, desktop files, and macOS passwords.

The malware is able to steal data from multiple browsers, including auto-fills, passwords, cookies, wallets, and credit card information. AMOS can target multiple cryptowallets such as Electrum, Binance, Exodus, Atomic, and Coinomi.

In ClearFake campaign, threat actors are relying on a growing list of compromised sites to reach out a wider audience.

“ClearFake is a newer malware campaign that leverages compromised websites to distribute fake browser updates. It was originally discovered by Randy McEoin in August and has since gone through a number of upgrades, including the use of  to build its redirect mechanism, making it one of the most prevalent and dangerous social engineering schemes.” reads the published by Malwarebytes. “On November 17, security researcher Ankit Anubhav observed that ClearFake was distributed to Mac users as well with a corresponding payload.”

On November 17, security researcher Ankit Anubhav first noticed that the Clearfake campaign was also distributing Mac malware.

Threat actors used websites mimicking the official Apple Safari page website and the Chrome page.

Clearfake AMOS macOS malware

Upon clicking the “update [browser]” button, victims receive a DMG file that claims to be a Safari or Chrome update.

The instructions guide victims to open the file. It prompts for the admin password and executes commands immediately after.

The payload targets Mac users and appears as a DMG file that mimics a Safari or Chrome update.

The instructions guide victims to open the file, and it promptly runs commands after requesting the administrative password.

Experts were able to find the malware’s command and control server by analyzing the code of the payload.

“Fake browser updates have been a common theme for Windows users for years, and yet up until now the threat actors didn’t expand onto MacOS in a consistent way. The popularity of stealers such as AMOS makes it quite easy to adapt the payload to different victims, with minor adjustments.” concludes the report. “Because ClearFake has become one of the main social engineering campaigns recently, Mac users should pay particular attention to it.”

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Atomic Stealer (AMOS))



you might also like

leave a comment