- CloudSek researchers find spoofed version of Spectrum website
- The site tricks people into running AMOS through the ClickFix method
- The researchers attributed the attack to a Russian-speaking group
Russian threat actors have been seen using the popular ClickFix method to steal passwords and drop infostealer malware on macOS targets.
Security researchers from CloudSek have reported multiple websites spoofing Spectrum, a US-based telecommunications provider. Victims visiting these websites would first be asked to verify that they’re human – however, the “verification” was designed to “fail”, after which the victims would be asked to use “Alternative Verification”.
It is unclear why the attackers added the extra step – we can assume it is to throw the victims off and have them lower their guard.
Revoking access tokens
In any case, the “alternative verification” method copies a command on their clipboard, after which the victims are instructed to paste and run them on their devices.
The command delivers AtomicOS (AMOS) – an infamous macOS infostealer that grabs passwords, cryptocurrency wallet data, and system information, from macOS users.
CloudSek did not attribute the campaign to any particular threat actor, but it has determined that they are of Russian origin.
“While inspecting the source code of the delivery page, we came across a couple of comments in Russian, indicating that the malware is likely being spread by Russian speaking cybercriminals,” the company said.
It doesn’t seem that the campaign targeted a specific group of people, or companies, but since it spoofs Spectrum, it’s safe to say the victims are the company’s current, or potential, customers.
The experts did note the campaign was set up rather clumsily: “Poorly implemented logic in the delivery sites, such as mismatched instructions across platforms, points to hastily assembled infrastructure. This campaign highlights an increasing trend in multi-platform social engineering attacks targeting both consumer and corporate users,” CloudSek concluded.
ClickFix has gotten quite popular in recent times, with different security outfits reporting discovering different variants of the technique in the wild.
Via The Hacker News
