Fake Browser Updates Targeting Mac Systems With Infostealer

A widely popular social engineering campaign previously only targeting Windows systems has expanded and is now using fake browser updates to distribute Atomic Stealer, a dangerous information stealer, to macOS systems. Experts say this could be the first time they've observed a dominant social engineering scam previously aimed specifically at Windows make the shift to macOS. The malware, also referred to as AMOS, surfaced earlier this year on a dedicated Telegram channel. Criminals, who can rent the malware on a subscription basis for about $1,000 a month, have used a variety of means to distribute the malware since then. The most common tactic has been to distribute the malware via installers for popular apps or via purportedly cracked versions of Microsoft Office and other widely used applications. ClearFake Campaign This week, researchers from Malwarebytes reported observing a threat actor distributing Atomic Stealer via hundreds of compromised websites that serve up fake updates for Chrome and Safari browsers. Another security researcher, Randy McEoin, first spotted the compromised websites in August and dubbed the malware for generating the fake browser updates as "ClearFake." At the time, McEoin described ClearFake as malware that initially loads a page normally when a user visits a compromised website, but then replaces it with a page prompting the user to update their browser. Mac users who respond to the prompt end up downloading Atomic Stealer on their systems, the security researcher noted. "This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system," Malwarebytes researcher Jerome Segura said in a blog this week. According to Segura, the Safari template that a ClearFake-compromised website serves up is identical to the one on Apple's official website and is available in multiple languages. There is also a template for Google Chrome for Mac users that is very similar to the one used for Windows users, Segura said. The payload for Mac users is a disk image file masquerading as a browser update with instructions for users on how to open it. If opened, the file immediately prompts for the admin password and then runs commands for stealing data from the system. Malwarebytes researchers observed commands for stealing passwords and grabbing different files from a compromised system and shipping them off to a remote command-and-control server. 'One-Hit Smash and Grab' SentinelOne, which is tracking the malware, has described Atomic Stealer as capable of stealing account passwords, browser data, session cookies, and cryptocurrency wallets. The security vendor reported seeing as many as 300 subscribers for Atomic Stealer on the author's Telegram channel back in May 2023. Its analysis of the malware showed there were at least two versions of Atomic Stealer, one of which was hidden in a game installer. SentinelOne found that version of the malware seemingly designed specifically to steal information from gamers and cryptocurrency users. One behavior of Atomic Stealer that SentinelOne highlighted in its report was the lack of any attempt by the malware to gain persistence on a compromised machine. Instead, the malware appeared to rely on what SentinelOne described as a "One-hit smash and grab methodology" via AppleScript spoofing. "Fake browser updates have been a common theme for Windows users for years," Segura noted. Until the ClearFake campaign, threat actors have not used the vector to distribute macOS malware. "The popularity of stealers such as AMOS makes it quite easy to adapt the payload to different victims, with minor adjustments," he said. The new malware and campaign are only the latest manifestation of what some have reported as greater threat actor interest in macOS systems. In August, Accenture reported a 1,000% increase in threat actors targeting the operating system since 2019. Among them was one attacker who offered up to $1 million for a working exploit for macOS, Accenture found. "Of great concern is the emergence of established actors with positive reputations and large budgets looking for exploits and other methods which would enable them to bypass macOS security functions," Accenture said.

This Cyber News was published on www.darkreading.com. Publication date: Thu, 30 Nov 2023 20:25:02 +0000


Cyber News related to Fake Browser Updates Targeting Mac Systems With Infostealer

Fake Browser Updates Targeting Mac Systems With Infostealer - A widely popular social engineering campaign previously only targeting Windows systems has expanded and is now using fake browser updates to distribute Atomic Stealer, a dangerous information stealer, to macOS systems. Experts say this could be the ...
1 year ago Darkreading.com
12 Essential Steps Mac Users Need To Take At Year End - As the year comes to a close, Mac users should take these steps to ensure their device's security, performance and organization. Here are the year-end steps you should take to ensure your Mac is ready for 2024. After ensuring your Mac's files are ...
1 year ago Techrepublic.com
Fake browser updates spread updated WarmCookie malware - The latest campaign was discovered by researchers at Gen Threat Labs, who observed the WarmCookie backdoor being distributed as fake Google Chrome, Mozilla Firefox, Microsoft Edge, and Java updates. FakeUpdate is a cyberattack strategy used by a ...
2 months ago Bleepingcomputer.com
Sophisticated Booking.com Scam Targeting Guests with Vidar Infostealer - The 'How To' guide for targeting Booking.com customers is being offered for sale on the dark web, as well as on underground cybercrime forums, including Russian-speaking platforms such as XSS.IS. Cybersecurity firm Secureworks is alerting Booking.com ...
1 year ago Hackread.com
The Fake Browser Update Scam Gets a Makeover - One of the oldest malware tricks in the book - hacked websites claiming visitors need to update their Web browser before they can view any content - has roared back to life in the past few months. New research shows the attackers behind one such ...
1 year ago Krebsonsecurity.com
Ukrainian Raccoon Infostealer Operator Extradited to US - A Ukrainian national charged with operating the Raccoon Infostealer malware-as-a-service has made an appearance in a US court after being extradited from the Netherlands. The man, Mark Sokolovsky, 28, was arrested in March 2022, after the FBI and law ...
10 months ago Securityweek.com
Fake Browser Updates Used in Malware Distribution - Cybersecurity researchers from Proofpoint have identified a rising trend in threat activity that employs fake browser updates to disseminate malware. At least four distinct threat clusters have been tracked utilizing this deceptive tactic. Fake ...
1 year ago Infosecurity-magazine.com
Apple Releases Updates for Older Devices in 2021 - Apple released updates to many of its older devices in 2021, including the iPhones, iPads, and Macs. The updates are to address security vulnerabilities that were discovered in the company's older devices. Apple has previously released several ...
1 year ago Thehackernews.com
IT and OT cybersecurity: A holistic approach - In comparison, OT refers to the specialized systems that control physical processes and industrial operations. OT Technologies include industrial control systems, SCADA systems and programmable logic controllers that directly control physical ...
11 months ago Securityintelligence.com
How Kasada Counters Toll Fraud and Fake Account Creation for Enterprises - Toll fraud and fake account creation are two advanced threats that bad actors employ for massive profit. Fake Account Creation is committed by a wide range of attackers, through automating the generation of new user accounts en masse, which then get ...
1 year ago Securityboulevard.com
RustDoor malware targets macOS users by posing as a Visual Studio Update - A new malware called RustDoor is targeting macOS users. The malware has been undetected for 3 months, and poses as a Microsoft Visual studio Update. ADVERTISEMENT. The malware was discovered by Bitdefender. Bitdefender products identify the malware ...
10 months ago Ghacks.net
SocGholish Attacks Enterprises Via Fake Browser Updates - Enterprises are being targeted by the malware known as SocGholish through deceptive browser update prompts. This malware, notorious for its stealth and the complexity of its delivery mechanisms, has been identified in a series of incidents involving ...
7 months ago Gbhackers.com
Pig Butchering: Fake Trading Apps Target Crypto on Apple, Google Play Stores - Pig Butchering scam targets crypto users with fake trading apps on Apple and Google Play Stores. These apps, found on Apple’s App Store and Google Play, and on phishing sites, are part of a Pig Butchering scam targeting cryptocurrency investors ...
2 months ago Hackread.com
The Embedded Systems and The Internet of Things - The Internet of Things is a quite new concept dealing with the devices being connected to each other and communicating through the web environment. This concept is gaining its popularity amongst the embedded systems that exist - let's say - 10 or ...
1 year ago Cyberdefensemagazine.com
Volt Typhoon Ramps Up Malicious Activity Against Critical Infrastructure - China-backed cyber espionage group Volt Typhoon is systematically targeting legacy Cisco devices in a sophisticated and stealthy campaign to grow its attack infrastructure. In many instances, the threat actor, known for targeting critical ...
11 months ago Darkreading.com
How to update outdated software on Mac endpoints: Introducing ThreatDown VPM for Mac - ThreatDown is happy to announce that our Vulnerability Assessment and Patch Management tool is now available for Mac endpoints. There are hundreds of third-party apps that Mac endpoint use on a daily basis-and with that large number of apps comes a ...
9 months ago Malwarebytes.com
- Appearing flattered by the dogged analysis of Chaes malware over the years, the infostealer's developer dropped secret messages in the latest version of the code praising threat hunter efforts and thanking them for the interest. Analysis of ...
11 months ago Darkreading.com
Weak password and infostealer blamed for Orange Spain outage The Register - A weak password exposed by infostealer malware is being blamed after a massive outage at Orange Spain disrupted around half of its network's traffic. The network provider is Spain's second most popular and on Wednesday evening confirmed its RIPE ...
11 months ago Go.theregister.com
Creating a New Market for Post-Quantum Cryptography - A day in the busy life of any systems integrator includes many actions that revolve around the lifeblood of its business - its customers. Systems integrators help solve evolving customer business challenges, which in turn adds partner value. It's a ...
1 year ago Securityboulevard.com
DarkGate Malware Campaigns Linked to Vietnam-Based Cybercriminals - Vietnam-based cybercriminals are believed to be behind to attacks using DarkGate malware, which have targeted organizations in the UK, US and India since 2018. WithSecure researchers have tracked these attacks to an active cluster of cybercriminals ...
1 year ago Infosecurity-magazine.com
Fake LastPass password manager spotted on Apple's App Store - LastPass is warning that a fake copy of its app is being distributed on the Apple App Store, likely used as a phishing app to steal users' credentials. The fake app uses a similar name to the genuine app, a similar icon, and a red-themed interface ...
10 months ago Bleepingcomputer.com
Fake app impersonating LastPass spotted in Apple's App Store The Register - LastPass says a rogue application impersonating its popular password manager made it past Apple's gatekeepers and was listed in the iOS App Store for unsuspecting folks to download and install. A screenshot of the fake LastPass app in the Apple App ...
10 months ago Go.theregister.com
Convincing LinkedIn 'Profiles' Target Saudi Workers for Information Leakage - Attackers have used hundreds of fake profiles on LinkedIn - many very convincing - to target professionals at companies in Saudi Arabia, not only for financial fraud, but to convince employees in specific roles to provide sensitive corporate ...
1 year ago Darkreading.com
Booking.com Customers Scammed in Novel Social Engineering Campaign - Booking.com customers are being targeted by a novel social engineering campaign, which is "Paying serious dividends" for cybercriminals, according to new research by Secureworks. The researchers said the campaign, which they believe has been running ...
1 year ago Infosecurity-magazine.com
Google Chrome Zero-Day Bug Under Attack, Allows Code Injection - Google has patched a high-severity zero-day bug in its Chrome Web browser that attackers are actively exploiting. The vulnerability, assigned as CVE-2024-0519, is the first Chrome zero-day bug that Google has disclosed in 2024, and the second in the ...
11 months ago Darkreading.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)