Atomic Stealer Distributes Malware to Macs Through False Browser Downloads

Atomic Stealer malware advertises itself through ClearFake browser updates disguised as Google’s Chrome and Apple’s Safari.

Anti-malware software provider Malwarebytes has described a new variant of Atomic Stealer (also known as AMOS), which is malware targeting Apple users. The new malware variant, distributed through the fake browser update delivery mechanism ClearFake, advertises itself as updates for Apple’s Safari browser and Google’s Chrome browser. The malware is capable of grabbing a user’s data and sending it to an attacker’s command and control server.

Jérôme Segura, senior director of threat intelligence at Malwarebytes, noted in his post about the attack that ClearFake is actively being updated and that its use of smart contacts in particular makes it “one of the most prevalent and dangerous social engineering schemes.”

“Fake browser updates have been a common theme for Windows users for years, and yet up until now the threat actors didn’t expand onto MacOS in a consistent way,” Segura pointed out.

Jump to:

Timeline of Atomic Stealer malware

Atomic Stealer was first advertised as a malware delivery option for threat actors in April 2023. Malwarebytes found in September 2023 that Atomic Stealer was targeting Mac users through fake software updates advertised on Google searches. Atomic Stealer was particularly suited to grabbing passwords and Apple keychain codes used for bitcoin wallets. Atomic Stealer can also lift credit card information.

While Atomic Stealer had been targeting Mac users for some time, ClearFake was historically used only against Windows machines. This is remarkable because ClearFake is one of the first Windows social campaigns made for Windows that then expanded to not only a different geolocation but a different operating system. Security researcher Randy McEoin discovered ClearFake in August 2023.

Security researcher Ankit Anubhav pointed out on Nov. 17 that, while ClearFake had been seen targeting Windows, the Mac version is a new development.

How ClearFake poses as Safari and Chrome updates

ClearFake is a sequence of malicious websites that purport to offer updates for Safari (Figure A) and Chrome (Figure B). Potential victims will see sites posing as legitimate browser updates.

Figure A

Figure B

Then, the ClearFake scam will deliver Atomic Stealer. Victims who click through to the false updates will download a .dmg file that can steal passwords and extract files.

SEE: Some threat actors have used Apple devices for surveillance over the last year, and it’s a trend that may continue, according to Kaspersky. (TechRepublic) 

Malwarebytes found that the following malicious domains are associated with this threat:

• Longlakeweb [dot] com
• Chalomannoakhali [dot] com
• Jaminzaidad [dot] cm
• Royaltrustrbc [dot] com

The AMOS stealer can be identified using the following indicators:

• 4cb531bd83a1ebf4061c98f799cdc2922059aff1a49939d427054a556e89f464
• be634e786d5d01b91f46efd63e8d71f79b423bfb2d23459e5060a9532b4dcc7b

How to protect against this malware threat

Security admins or IT pros should keep the following in mind to protect employees from ClearFake and Atomic Stealer:

• Keep your organization’s web protection tools up to date.
• Remind employees not to download applications from untrusted sites. Mac users should download applications only from the Mac App Store or company-approved locations.
• Communicate clearly about expected browser updates and other application updates.