Discovery of a Fresh Cyber Threat: ClearFake, Utilized for Deploying Atomic macOS Stealer (AMOS) Malware on Mac and Windows Systems, With a Primary Focus on Apple Users and Data Theft
In the early months of 2023, researchers brought to light a new cyber threat known as Atomic macOS Stealer (AMOS), a sophisticated malware designed primarily to target Apple users. Once implanted on a victim’s device, AMOS has the capability to extract sensitive information, including iCloud Keychain passwords, credit card details, crypto wallets, and various files. While the threat posed by the malware was already significant, a recent report unveils a new tactic employed by cyber hackers, delivering AMOS to Mac users through a deceptive browser update chain termed ‘ClearFake.’ According to Malwarebytes, a cybersecurity alert system company, the ClearFake method, initially observed in Windows attacks, involves disseminating counterfeit Safari and Chrome browser updates via compromised websites. By leveraging this expanding network of compromised websites, threat actors are broadening their scope, capturing login credentials and sensitive files from users who unwittingly download the malware for immediate financial gain or future attacks.
But what exactly is ClearFake and how is it utilized to deploy AMOS?
Researchers elaborate that ClearFake is a form of deepfake generated through machine learning techniques, manipulating images or videos to create a realistic appearance. Techniques such as image splicing, facial recognition, and voice synthesis contribute to the creation of ClearFake, which can be employed for various purposes, including spreading misinformation, generating fake news stories, and impersonating individuals.
The Installation Process of ClearFake Malware:
In this instance, ClearFake serves as the vehicle for deploying AMOS, a malware variant focused on stealing information. Cyber attackers create fraudulent websites to inject malicious JavaScript code. Upon visiting such a website, users encounter deceptive prompts mimicking authentic browser updates for Safari or Chrome, enticing them to click and triggering the download and installation of the AMOS malware.
Upon clicking the link to the fake update, unsuspecting victims are redirected to a website that clandestinely downloads and installs the AMOS malware on their computers. Once installed, AMOS discreetly infiltrates the victim’s system, gaining unauthorized access to sensitive information. Its primary objective is to pilfer vital data, including iCloud Keychain passwords, credit card details, and cryptocurrency wallets.
The adaptability of ClearFake is a cause for concern as it extends its reach beyond traditional Windows environments to target macOS users. This shift underscores the evolving nature of cyber attack strategies, emphasizing the necessity for heightened vigilance and proactive measures.
Guidelines for Staying Secure:
To safeguard against ClearFake and other evolving threats, proactive measures are essential, including:
- Avoiding Downloads from Untrusted Sources: It is crucial to update Safari directly from the Mac’s System Settings or Chrome directly from Google/the Chrome app.
- Exercising Caution with macOS GateKeeper Prompts: If an application requests bypassing GateKeeper protections, users should proceed with caution.
- Verifying Source Legitimacy: Check the legitimacy of the source before downloading an app outside the Mac App Store by verifying the creation date of the website.
- Keeping Systems Updated: Regularly updating operating systems and software is vital to patch security vulnerabilities and implement the latest security features.
