Fake Browser Updates Targeting Mac Systems With Infostealer

A widely popular social engineering campaign previously only targeting Windows systems has expanded and is now using fake browser updates to distribute Atomic Stealer, a dangerous information stealer, to macOS systems.

Experts say this could be the first time they've observed a dominant social engineering scam previously aimed specifically at Windows make the shift to macOS.

The malware, also referred to as AMOS, surfaced earlier this year on a dedicated Telegram channel. Criminals, who can rent the malware on a subscription basis for about $1,000 a month, have used a variety of means to distribute the malware since then. The most common tactic has been to distribute the malware via installers for popular apps or via purportedly cracked versions of Microsoft Office and other widely used applications.

ClearFake Campaign

This week, researchers from Malwarebytes reported observing a threat actor distributing Atomic Stealer via hundreds of compromised websites that serve up fake updates for Chrome and Safari browsers. Another security researcher, Randy McEoin, first spotted the compromised websites in August and dubbed the malware for generating the fake browser updates as "ClearFake."

At the time, McEoin described ClearFake as malware that initially loads a page normally when a user visits a compromised website, but then replaces it with a page prompting the user to update their browser. Mac users who respond to the prompt end up downloading Atomic Stealer on their systems, the security researcher noted.

"This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system," Malwarebytes researcher Jerome Segura said in a blog this week.

According to Segura, the Safari template that a ClearFake-compromised website serves up is identical to the one on Apple's official website and is available in multiple languages. There is also a template for Google Chrome for Mac users that is very similar to the one used for Windows users, Segura said.

The payload for Mac users is a disk image (DMG) file masquerading as a browser update with instructions for users on how to open it. If opened, the file immediately prompts for the admin password and then runs commands for stealing data from the system. Malwarebytes researchers observed commands for stealing passwords and grabbing different files from a compromised system and shipping them off to a remote command-and-control server.

'One-Hit Smash and Grab'

SentinelOne, which is tracking the malware, has described Atomic Stealer as capable of stealing account passwords, browser data, session cookies, and cryptocurrency wallets. The security vendor reported seeing as many as 300 subscribers for Atomic Stealer on the author's Telegram channel back in May 2023. Its analysis of the malware showed there were at least two versions of Atomic Stealer, one of which was hidden in a game installer. SentinelOne found that version of the malware seemingly designed specifically to steal information from gamers and cryptocurrency users.

One behavior of Atomic Stealer that SentinelOne highlighted in its report was the lack of any attempt by the malware to gain persistence on a compromised machine. Instead, the malware appeared to rely on what SentinelOne described as a "one-hit smash and grab methodology" via AppleScript spoofing.

"Fake browser updates have been a common theme for Windows users for years," Segura noted. Yet, until the ClearFake campaign, threat actors have not used the vector to distribute macOS malware. "The popularity of stealers such as AMOS makes it quite easy to adapt the payload to different victims, with minor adjustments," he said.

The new malware and campaign are only the latest manifestation of what some have reported as greater threat actor interest in macOS systems. In August, Accenture reported a 1,000% increase in threat actors targeting the operating system since 2019. Among them was one attacker who offered up to $1 million for a working exploit for macOS, Accenture found. "Of great concern is the emergence of established actors with positive reputations and large budgets looking for exploits and other methods which would enable them to bypass macOS security functions," Accenture said.