Threat actors target macOS systems with the Atomic Stealer malware in a new phase of the ClearFake campaign. Mac users are tricked into downloading the infostealer on their devices from fake browser updates.
Hackers designed the Atomic Stealer (AMOS) malware for targeting macOS devices. The stealer collects and exfiltrates data from infected Mac devices. It is sold on Telegram, on a subscription basis for $1,000 monthly.
MacOS devices risk Atomic stealer malware infection
The ClearFake campaign normaly uses compromised WordPress sites to push malicious browser update notifications. Unaware victims who click on them end-up deploying stealers and other types of malware on their devices.
Researchers revealed that the attackers don`t only target Windows, but macOS users too. They observed ClearFake employing similar malware infection methods for macOS systems. The campaign uses hacked websites to spread Atomic Stealer in DMG file format.
The malware first propagated through malicious ads, but since November it started using fake browser update notifications. Hackers use forged templates for both Safari and Google Chrome browsers.
How can Mac users protect against Atomic Stealer infection?
Threat actors become more and more skilled in imitating legitimate websites. Training employees to recognize social engineering or phishing attempts should be on your priorities list.
However, human error is still the top cause for data breaches, according to Verizon`s 2023 DBIR. Lack of attention and fatigue can make even a skilled, cybersecurity aware employee click a malicious link.
“MacOS-es are immune to malware” is one of the Mac devices debunked myths. A Mac needs patching, anti-malware and NextGen AVs just like any other machine.
So, the smart thing to do is upgrade your protection.
To prevent an Atomic stealer infection on your macOS endpoints, I recommend using:
- An automated Privileged Access Management solution that tracks and revokes who and what privileges has within a system.
Not all employees need to download software or update browsers by themselves on the company`s computers. So, they should not be able to do that. A PAM solution can solve this problem automatically.
Additionally, enforcing a clear PAM policy and a professional tool to manage privileged accounts limits the attack surface and prevents further infection.
- A DNS filtering tool that blocks suspicious inbound or outbound communication. If an employee clicks the wrong link, the tool will simply stop the connection. No harm done.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.