A sophisticated new malware campaign has emerged, which specifically targets macOS users through the use of deceptive typo-squatted domain names. These particular fraudulent domains are designed to convincingly mimic Spectrum, which is a major United States telecommunications provider for many customers. This recent campaign represents a significant escalation in ongoing cross-platform social engineering attacks that target both consumer and corporate users alike. The malicious operation notably leverages the increasingly popular Clickfix method, presenting its victims with fake but convincing security verification pages to execute code.
When unsuspecting users encounter these deceptive interfaces on fraudulent domains, they are then prompted to complete what appears to be a routine process. However, clicking the provided “Alternative Verification” button instead triggers a malicious sequence that then copies harmful commands to the user’s clipboard. CloudSEK researchers first identified this dangerous campaign during their routine discovery of new attacker infrastructure, quickly uncovering its complex multi-platform nature. Their detailed investigation subsequently revealed that the malicious websites deliver different payloads depending on the victim’s specific operating system, with macOS users receiving particularly dangerous shell scripts. These scripts are designed to harvest credentials and download AMOS variants for further exploitation.
The attack effectively employs a brand new variant of the Atomic macOS Stealer, also known as AMOS, which is cleverly disguised as a CAPTCHA verification.
The malware’s infection process demonstrates remarkable sophistication in successfully exploiting the unique security architecture that is built into the modern macOS. When the targeted macOS users follow the fake verification instructions that are displayed on the deceptive page, they inadvertently execute a downloaded shell script. This script then initiates an insidious credential harvesting routine by continuously prompting users for their system password until it is correct. It uses macOS’s native dscl command to validate the authenticity of the password that has been entered by the unsuspecting computer user. Once successful, the malware downloads the main AMOS payload and employs the stolen password with sudo privileges to bypass Apple’s Gatekeeper protections.
This particular attack’s widespread impact extends far beyond just individual credential theft, potentially enabling significant corporate network infiltration and also subsequent lateral movement.
By successfully harvesting macOS user passwords, these attackers can then easily gain unauthorized access to important corporate systems, secure VPNs, and other critical internal resources. The presence of Russian-language comments discovered by the security researchers in the source code suggests the possible involvement of some Russian-speaking cybercriminal actors. However, several technical flaws, including mismatched instructions across platforms, indicate the attackers likely used hastily assembled infrastructure despite their sophistication in their social engineering tactics. The campaign’s core sophistication lies in its ability to exploit user trust.
Reference:
