A new report from Malwarebytes has come to light, and this time, it looks like the threat actors behind Atomic Stealer, are now targeting Mac users. AMOS has been known to be an info stealer that has worked on Windows browsers in order to scrape passwords, browser data and much much more.
But now, it looks like these threat actor have shifted their attention to Mac users, through a campaign known as ClearFake. Earlier, the researchers had noticed a pattern with these threat actors, where they distributed AMOS to unsuspecting users via infected software updates, cracks, or key gens, and when the user downloaded and ran these items, the maware would activate.
However, it now appears the these threat actors are distributing AMOS via modified Google Ads that redirect users to landing pages that appear to be genuine, but are in truth a facade to deploy AMOS into the computer of the targets. What is really worrisome is that these Google ads are very convincingly designed, impersonating big brands with apparent ease. It is coming practise for people to blindly click on the ads thinking it will lead them to the right landing page, which again, in this case, are very convincingly created. The moment these ads are clicked, the target is taken to these fake landing pages and when the target interacts with it, the AMOS takes over and before they know it, the target loses critical information.
“While Mac malware really does exist, it tends to be less detected than its Windows counterpart,” the researchers said in their technical write-up in September this year. “The developer or seller for AMOS actually made it a selling point that their toolkit is capable of evading detection.”