Expansion of ClearFake Scheme Targeting Mac Systems

The infamous macOS data pilferer, Atomic Stealer, is adopting a new avenue for infiltration known as ClearFake, a scheme that masquerades as web browser updates. This strategic move signifies a shift from traditional Windows-based campaigns to a broader scope, encompassing both geolocation and operating system targets, as highlighted by Malwarebytes’ Jérôme Segura in a recent analysis.

Atomic Stealer, a commercial malware initially surfaced in April 2023, operates on a subscription model, priced at $1,000 monthly. Its capabilities involve extracting sensitive information from web browsers and cryptocurrency wallets, making it a lucrative tool for cybercriminals.

In a concerning development documented by Malwarebytes in September 2023, an Atomic Stealer campaign exploited deceptive Google ads, deceiving macOS users in search of the TradingView financial charting platform into unwittingly downloading the malware.

Meanwhile, ClearFake, a nascent malware distribution mechanism, leverages compromised WordPress sites to present false web browser update notifications, aiming to deploy stealers and other malicious software. This operation joins a league of threat actors utilizing similar tactics, including TA569 (SocGholish), RogueRaticate (FakeSG), ZPHP (SmartApeSG), and EtherHiding, all revolving around misleading browser update themes.

Recent reports as of November 2023 reveal an expansion of the ClearFake campaign, now targeting macOS systems through a nearly identical infection process. Exploiting compromised websites, the scheme delivers the Atomic Stealer masquerading as a DMG file, signifying a worrying trend of stealer malware relying on fake installer files for legitimate software via multiple deceptive avenues.

Segura notes the adaptability of stealers like AMOS, indicating their ease in tailoring payloads to different targets with minor modifications. This disclosure follows advancements in LummaC2, incorporating an innovative anti-sandbox technique based on trigonometry, prompting the malware to halt execution until detecting “human” behavior in the infected system.

Additionally, the operators of Atomic Stealer tout a new feature claiming the capability to gather Google Account cookies that persist even after password changes, raising concerns highlighted by Alon Gal, co-founder and CTO at Hudson Rock.

Gal’s warnings stress the potential for widespread account breaches and heightened cyber threats if these persistent cookies can indeed evade password changes, signifying a pivotal shift in cybercrime dynamics. The implications could lead to significant security challenges, potentially impacting a multitude of Google services and users at large.

To prevent this, user should regularly update device software and leverage enhanced security features provided by device manufacturers and platforms. Features like real-time code scanning and restricted settings can bolster defense against emerging threats, strengthening the device’s overall security posture.