Full Report
Cybersecurity researchers are alerting to a new malware campaign that employs the ClickFix social engineering tactic to trick users into downloading an information stealer malware known as Atomic macOS Stealer (AMOS) on Apple macOS systems. The campaign, according to CloudSEK, has been found to leverage typosquat domains mimicking U.S.-based telecom provider Spectrum. "macOS users are served a
Analysis Summary
# Tool/Technique: Atomic macOS Stealer (AMOS)
## Overview
Atomic macOS Stealer (AMOS) is an information stealer malware specifically targeting Apple macOS systems. It is being distributed through a social engineering campaign utilizing the "ClickFix" tactic, often via typosquat domains mimicking legitimate services.
## Technical Details
- Type: Malware family
- Platform: Apple macOS
- Capabilities: Steals system passwords and credentials, executes malicious binaries, bypasses security mechanisms.
- First Seen: Information on the initial sighting of the general 'Atomic Stealer' lineage is not provided, but this specific campaign involving an AMOS variant is current.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied via initial delivery mechanism)
- (Implied Post-Exploitation for credential theft)
- TA0006 - Credential Access
- T1003 - OS Credential Dumping (Implied via password stealing)
## Functionality
### Core Capabilities
- Harvesting credentials using native macOS commands.
- Downloading and staging the next-stage payload (the AMOS variant) via a downloaded shell script.
- Executing malicious binaries post-download.
### Advanced Features
- Leverages social engineering (ClickFix) to trick users into running scripts that prompt for system passwords.
- Uses native macOS commands for file system interaction and security evasion.
## Indicators of Compromise
- File Hashes: N/A (Specific hashes for the current variant are not provided in the text)
- File Names: N/A (Specific payload names are not provided in the text)
- Registry Keys: N/A (macOS specifics not detailed)
- Network Indicators: C2 or exfiltration domains associated with AMOS are not explicitly detailed in the context for this specific campaign, though the ultimate goal is exfiltration.
- Behavioral Indicators: Execution of a downloaded shell script following a failed CAPTCHA interaction; prompt for system password via a script execution originating from the Terminal application.
## Associated Threat Actors
- Russian-speaking cybercriminals (inferred from Russian language comments in the source code).
## Detection Methods
- Signature-based detection: Applicable once hashes or known string patterns for the AMOS variant are published.
- Behavioral detection: Monitoring for shell scripts executing via user interaction following web browsing (especially involving fake verification pages) that subsequently initiate credential harvesting commands.
- YARA rules: N/A
## Mitigation Strategies
- User awareness training regarding the ClickFix social engineering tactic and requests for credentials outside of secure, expected workflows.
- Disabling or restricting the execution of downloaded shell scripts, especially those initiated via web interaction.
- Implementing strong endpoint security to monitor and block unauthorized use of native macOS commands for enumeration or file execution.
- Restricting the use of the Terminal application for unauthorized users or processes.
## Related Tools/Techniques
- **Technique:** ClickFix social engineering tactic (used for delivery).
- **Other Payloads Distributed via ClickFix:** Lumma, StealC, NetSupport RAT.
- **Related Malware:** Atomic Stealer (AMOS is a variant/evolution of this family).
***
# Tool/Technique: ClickFix Social Engineering Campaign
## Overview
ClickFix is a widespread social engineering attack vector designed to trick victims into executing malicious commands or downloading payloads by exploiting "verification fatigue." Attackers set up fake CAPTCHA challenges (mimicking services like hCaptcha, Google reCAPTCHA, or Cloudflare Turnstile) that, upon failed interaction, instruct the user to execute a command (often hidden or copied to the clipboard) to "fix" the verification error.
## Technical Details
- Type: Technique/Framework (Social Engineering Delivery Method)
- Platform: Cross-platform (Targets Windows, macOS, and Linux users, though instructions vary)
- Capabilities: Bypasses security controls by having the user willingly execute the initial malicious step; used for initial access and delivering various malware payloads.
- First Seen: Campaign activity has surged over the past year (as of the article date).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.002 - Spearphishing Link
- T1204 - User Execution
- T1204.002 - Malicious File
## Functionality
### Core Capabilities
- Impersonation of legitimate security checks (CAPTCHAs) to establish a pretext.
- Guiding the user to copy and execute arbitrary commands (shell scripts on macOS/Linux, PowerShell via Run dialog on Windows).
- Exploiting user conditioning to click through security prompts quickly ("verification fatigue").
### Advanced Features
- Pages are sometimes "pixel-perfect copies" of legitimate services.
- In some cases, fake verification hooks have been injected into real, compromised websites.
## Indicators of Compromise
- File Hashes: N/A (Payload dependent)
- File Names: N/A (Payload dependent)
- Registry Keys: N/A
- Network Indicators: Malicious URLs serving the fake CAPTCHA pages (e.g., `panel-spectrum[.]net`, `spectrum-ticket[.]net`).
- Behavioral Indicators: Displaying non-standard instructions for command-line execution (e.g., advising Mac users to use the Windows Run dialog) immediately after a failed CAPTCHA screen.
## Associated Threat Actors
- Unknown actors leveraging this tactic broadly.
- Specific actors using this method have distributed Lumma, StealC, and NetSupport RAT.
- The AMOS campaign leveraging this is attributed to Russian-speaking cybercriminals.
## Detection Methods
- Signature-based detection: Monitoring for known typosquat domains used in these campaigns.
- Behavioral detection: Detecting anomalous execution chains where application usage (like a web browser) leads directly to the launch of command-line interfaces (Terminal, cmd.exe) with user-supplied input or execution of downloaded scripts.
- YARA rules: N/A
## Mitigation Strategies
- Educating users to critically assess website security prompts and instructions, especially when they demand opening command-line tools.
- Robust endpoint detection and response (EDR) tuned to flag system password prompts originating from unexpected parent processes (e.g., a browser initiating a shell command).
- Deploying web filtering to block known malicious infrastructure associated with ClickFix distribution.
## Related Tools/Techniques
- Phishing (T1566)
- Lumma (Stealer delivered via similar vectors)
- CloudSEK/Darktrace/SlashNext analytics focusing on this TTP.