Malware, Ransomware

Hackers Use Fake Browser Updates for AMOS Malware Attacks Targeting Mac Users

Apple blacklists 'iWorm' malware which infected 17,000 Macs

Cybercriminals are utilizing the "ClearFake" fake browser update chain to launch Atomic Stealer (AMOS) malware attacks against Mac users, according to Malwarebytes.

The news comes after Malwarebytes in September 2023 reported that cybercriminals were using malicious ads to trick Mac users into downloading AMOS.

What Is the Atomic Stealer Malware?

AMOS was initially used as a stealer for Mac OS in April 2023, Malwarebytes noted. SentinelOne indicated that at least one hacker was offering rent access to an AMOS web panel and disk-image based installer for $1,000 per month on April 9, 2023.

With AMOS, cybercriminals distribute malicious payloads by disguising them as installers for legitimate applications or pretending to offer users "cracked" versions of popular software, SentinelOne stated. AMOS lets hackers extract users' login passwords via AppleScript spoofing. It also contains logic that allows cybercriminals to steal users' keychains and crypto wallet contents.

What Is ClearFake?

ClearFake is an AMOS malware campaign discovered in August 2023, Malwarebytes pointed out. It involves the use of compromised websites to distribute fake browser updates.

On November 17, 2023, researcher Ankit Anubhav observed that ClearFake was distributed to Mac users, Malwarebytes reported. In ClearFake attacks, cybercriminals use a malicious payload disguised as a Safari or Google Chrome update. Users get instructions on how to open a file, and if a user opens the file, the payload lets a hacker steal users' passwords and data.

How to Protect Against ClearFake and Atomic Stealer Attacks

Fake browser updates are common among Mac and Windows users, Malwarebytes noted. With a clear understanding of ClearFake and AMOS attacks, Mac and Windows users are well equipped to guard against them.

Malwarebytes recommends using web protection tools to block AMOS and other malware attacks.

In addition, MSSPs can keep their customers up to date about AMOS and other cyber threats. They can also provide services and resources to ensure that their customers are protected against current and emerging threats.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.