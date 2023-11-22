The information theft macOS known as Atomic Stealer is now delivered to targets through a chain of bogus web browser updates (in this specific case, MacOS Safari) identified as ClearFake.

How the Clear Fake campaign works which expands the already known Atomic Staler maware

“This may very well be the first time we’ve seen a major social engineering campaign, previously reserved for Windows, expand not only in terms of geolocation but also of operating system“, has said Malwarebytes’ Jérôme Segura in a Tuesday analysis.

Atomic Stealer (aka AMOS), documented for the first time in April 2023, is a family of commercial malware sold on a subscription basis at a cost of $1,000 per month (the famous malware-as-a-service) and has the ability to steal data from web browsers and cryptocurrency wallets.

Then, in September 2023, Malwarebytes has documented in detail another Atomic Stealer campaign that exploits malicious Google adstricking macOS users into looking for a financial charting platform known as TradingView to download the malware.

ClearFake, on the other hand, is a nascent malware distribution operation using compromised WordPress sites to serve fraudulent web browser update alerts in hopes of distributing data theft and other malware.

It is the latest addition to a ample group of cyber criminals known as TA569 (aka SocGholish), RogueRaticate (FakeSG), ZPHP (SmartApeSG) and EtherHiding, known to use themes related to fake browser updates for this purpose.

In November 2023, the ClearFake campaign has expanded to target macOS systems with an almost identical infection chain, exploiting hacked websites to deliver Atomic Stealer in the form of a DMG file.

The development of the ClearFake case it’s a sign that stealthy malware continues to rely on fake installation files or poisoned for legitimate software through malicious advertisements, search engine redirects to malicious websites, drive-by downloads, phishing, and SEO poisoning for propagation.

“The popularity of steals like AMOS makes it quite easy to adapt the payload to different targets, with small adjustments,” Segura said.

Lumma Stealer seeks a way to extract Persistent Google Cookies

Disclosure also follows updates to the theft of LummaC2 information which uses a trigonometry-based anti-sandbox technique which forces the malware to wait until “human” behavior is detected on the infected machine.

The operators of the malware are also promoting a new feature that they claim can be used to collect Google account cookies from compromised computers which will not expire or be revoked even if the owner changes the password.

“This will bring about a significant change in the world of cybercrime, allowing hackers to infiltrate even more accounts and carry out significant attacks“, has declared Alon Gal, co-founder and CTO of Hudson Rock, in one series of posts on LinkedIn and then added: “In essence, these cookies seem more persistent and could lead to an increase in Google services used by people who get hacked, and if the claim that a password change doesn’t invalidate the session is true, we expect much more serious problems“.

Other cases similar to the ClearFake campaign

In addition to the threats mentioned, the cybersecurity landscape sees the proliferation of other similar cases of malware with increasingly sophisticated techniques; for example, the Banking Trojan Emotet has continued to evolveleveraging advanced spear-phishing tactics to infiltrate systems.

Another example is represented by TrickBota modular banking module that has expanded its scope to include ransomware distribution capabilities.

These cases highlight the continued adaptability and growing complexity of cyber threatshighlighting the importance of advanced security practices and regular updates to protect systems from increasingly sophisticated attacks.