Hijacked WordPress websites are being exploited by malware creators to deceive users into downloading counterfeit Google Chrome and Safari updates, which are laden with AMOS malware.
Counterfeit Google Chrome and Safari updates designed for macOS are now being employed to infiltrate Mac computers with the malicious Atomic Stealer, also known as AMOS. Disseminated through a social engineering initiative, AMOS has the capability to pilfer passwords and sensitive files stored on Mac systems. Vigilance and the potential utilization of web protection tools are recommended to shield against malware propagated through social engineering, as cyber threat actors increasingly target Mac users.
Security firm Malwarebytes has unveiled insights into the latest iteration of Atomic Stealer, with the malware distributed to macOS users via ClearFake—a campaign utilizing compromised WordPress websites to deliver fake browser updates for Chrome and Safari. The detection of AMOS being distributed via ClearFake to macOS users was recently reported by security researcher Ankit Anubhav.
The malware is dispensed through compromised sites that closely mimic the Google Chrome download page, along with a counterfeit Safari update page featuring outdated icons from earlier macOS versions. Despite the deceptive design, some users may be convinced to click and download the malware, particularly due to the realistic appearance of the fake Chrome download.
Upon clicking the download button, the malicious .dmg file is downloaded to the Mac computer, masquerading as a browser installer. Subsequently, upon opening the file, users are prompted to enter the administrator password, enabling the execution of malicious commands, including the theft of passwords from Apple’s Keychain and the extraction of documents, images, wallets, and other data from the user’s desktop and documents folders on macOS.
To enhance protection against the malware, users are advised to employ some form of web protection, such as the Safe Browsing setting within Google Chrome, which can potentially block access to these malicious sites. Additionally, users should exercise caution and refrain from downloading Chrome installers from unfamiliar websites, as these social engineering tactics aim to deceive users who may struggle to differentiate between genuine and deceptive sites. A helpful guideline is to verify that the address bar displays google.com. Furthermore, it’s crucial to note that Apple does not distribute Safari updates through individual downloads, with official updates integrated into operating system updates.