Over 2,800 websites used to spread AMOS malware

Ransomware gangs have historically thrived on infected email attachments and bogus invoices, but as security measures have improved, attackers have shifted their focus to more subtle tactics. One such tactic is targeting the small checkbox labeled “I’m not a robot” that most people click without a second thought. This shift in tactics is exemplified by the widespread campaign known as MacReaper, which has compromised over 2,800 legitimate websites and redirects visitors to an infection process specifically designed for Apple computers.

The MacReaper operation relies on visual trust signals, such as a convincing fake of Google’s reCAPTCHA, along with hidden clipboard code that ultimately leads to the installation of Atomic macOS Stealer malware. This data-harvesting infostealer is distributed through Telegram and is capable of stealing a wide array of sensitive data from infected Mac computers.

When a Mac user visits one of the compromised websites, they are presented with a full-screen imitation of Google’s reCAPTCHA box. The fake reCAPTCHA prompts the user to click “I’m not a robot,” but behind the scenes, a hidden command is copied to their clipboard. The user is then instructed to open Terminal and paste the copied command, which results in the download and execution of the malicious Atomic macOS Stealer malware.

This attack is specifically targeted at Mac users, as the website checks the visitor’s operating system and only activates the attack if macOS is detected. The malware is capable of extracting Wi-Fi and app passwords, collecting browser cookies and autofill data, listing system information, scanning through personal folders, and targeting over 50 types of cryptocurrency wallets.

To protect yourself from the evolving threat of the MacReaper attack, it is essential to implement several security measures. These include being skeptical of CAPTCHA prompts, avoiding clicking on links from unverified emails, enabling two-factor authentication, keeping devices updated, monitoring accounts for suspicious activity, and investing in a personal data removal service.

As Apple continues to improve security measures, attackers are increasingly relying on psychological levers to exploit trust and deceive users. It is crucial for individuals to exercise healthy skepticism and implement robust security practices to protect themselves from sophisticated attacks like MacReaper. Stay informed and stay vigilant to safeguard your personal information and digital assets from cyber threats.