Newsletter
In August, cybersecurity researcher Randy McEoin discovered a new type of malware disguised as a software update. He named it “ClearFake”. ClearFake deceives users by exploiting hijacked WordPress sites, leading them to download fake browser updates which then infect their systems with malware. Initially, ClearFake focused on Windows systems, deploying a campaign with a fake Chrome update. Recent findings by security researcher Ankit Anubhav reveal a shift in tactics, with ClearFake now targeting Mac users through a counterfeit Safari update, delivering iOS malware.
ClearFake has used two primary methods to deliver payloads to victims’ systems. Initially, compromised websites were redirected to a Cloudflare worker host, enabling the injection of malicious JavaScript. Security experts detected and easily dismantled this approach because it was hosted on Cloudflare. Subsequently, the group adopted a new strategy, leveraging the security benefits of the blockchain, specifically the Binance Smart Chain (BSC) JS library.
The download of a third-stage payload is initiated by fetching malicious scripts from the blockchain. Exploiting the decentralized nature of the blockchain, attackers are more capable of evading takedowns. The payload is no different, it presents users with fake browser update overlays that lead to installing a malicious executable.
ClearFake uses templates that almost identically mimic legitimate Safari and Chrome updates
Hackers obfuscate code to conceal their malicious intent and evade detection by security measures. By transforming code into a complex, convoluted structure, they slow analysis and make it challenging for security tools to identify and interpret their activities. Originally named for its non-obfuscated JavaScript, ClearFake ironically evolved into a formidable challenge to detect due to its blockchain-based injection method.
According to a report by Malwarebytes, the recent Mac campaign by ClearFake distributes a distinct malware variant, Atomic Stealer. Atomic Stealer offers cybercriminals a comprehensive toolkit, enabling the theft of account passwords, browser data, session cookies, and crypto-wallets. Distributed through a dedicated Telegram channel, the malware author provides web panel access and a disk-image-based installer for $1000 per month.
Disguised as installers for legitimate applications, ClearFake’s payload masquerades as Safari or Chrome updates. Upon downloading Atomic Stealer, the malware mimics another Safari update, prompting users for an admin password for command execution.
Social engineering attacks often disguise malware as software updates or application installers. Again, ClearFake uses Safari and Chrome templates that are nearly identical to those used by Mac and Google. Mac users should be alert against this new social engineering attack attempting to steal sensitive information.