Uncovering a Global macOS Malware Campaign

Active Malware-as-a-Service (MaaS) campaign utilizing the "ClickFix" social engineering framework to distribute the Atomic macOS Stealer (AMOS) / MacSync. The threat actor is exploiting high-traffic WordPress websites (e.g., web.hypothes.is, unitedwaynca.org) by injecting a redundant, two-stage loader. The initial loader utilizes strict Traffic Delivery System (TDS) filtering, only serving the payload to macOS users originating from residential or cellular IP addresses to evade automated datacenter scanning. Once triggered, a fake Cloudflare "Verify you are human" modal is rendered. Clicking "Copy" on this modal uses clipboard hijacking to trick the user into executing a fileless Base64 payload via the macOS Terminal. Owners of compromised sites serving malware include Hypothesis and United Way. Full technical analysis and verification methodology: https://open.substack.com/pub/defensendepth/p/the-ghost-in-the-annotations Indicators of Compromise (IoCs) Indicator Type Description api.aloparatoriuz.com domain Stage 1 TDS Gate (Initial Loader) volcatomix.com domain Stage 2 Payload Lure (Fake Cloudflare Host) stradisamplix.com domain Stage 3 Exfiltration C2 86.54.42.244 IPv4 Exfiltration C2 IP LokwiUHhajhWnbX URI Unique Script Path f48fbe39836779cadbf148b5952919fd FileHash-MD5 ClickFix Affiliate ID (passed in X-Bid header) edit - clarified in the summary here that the attack requires additional user interaction after clicking copy to paste the clipboard contents into a terminal according to the modal instructions. This is a new campaign launched in the last 48 hours that is consistent with other clickfix campaigns and a write-up for people, not a new technique.   submitted by   /u/RiddleMeDisk [link]   [comments]

Source: https://www.reddit.com/r/netsec/comments/1rg3zmd/uncovering_a_global_macos_malware_campaign/