macOS ClickFix Campaign Delivers AMOS and Other Infostealers: A DNS Deep Dive

macOS ClickFix Campaign Delivers AMOS and Other Infostealers: A DNS Deep Dive
Microsoft analyzed a ClickFix campaign that targeted macOS users with Macsync, Shub Stealer, and AMOS, using malicious commands hosted on blog and other user-generated content platforms to lure people seeking macOS help. The investigation identified 140 network IoCs and uncovered extensive DNS-related infrastructure, including typosquatting groups, likely malicious registrations, victim-related IP communications, and many email-connected domains later weaponized for attacks. #Macsync #ShubStealer #AMOS #ClickFix #Microsoft

Keypoints

  • Microsoft published an in-depth analysis of a ClickFix campaign aimed at macOS users.
  • The campaign delivered three infostealers: Macsync, Shub Stealer, and AMOS.
  • Attackers hosted malicious commands on blog sites and other user-driven content platforms to exploit users searching for macOS troubleshooting advice.
  • Researchers identified 140 network IoCs, later narrowing the investigation to 138 unique IoCs after filtering out legitimate and inactive items.
  • DNS analysis found typosquatting groups, likely malicious domain registrations, and large numbers of historical domain-to-IP and IP-to-domain resolutions.
  • Further hunting uncovered 691 email-connected domains, with 14 confirmed malicious, plus additional malicious IP-linked infrastructure.
  • The report provides only a snapshot of the full research and references downloadable artifacts for deeper investigation.

MITRE Techniques

  • [T1204.001 ] User Execution: Malicious Link – Attackers lured users searching for macOS help into interacting with malicious commands hosted on blog and user-driven content platforms (‘hosting their malicious commands in these sites’)
  • [T1583.001 ] Acquire Infrastructure: Domains – The campaign used numerous domains and subdomains, including typosquatting and newly registered-looking infrastructure (‘121 domains’, ‘seven typosquatting groups’)
  • [T1583.008 ] Acquire Infrastructure: Malvertising/Compromised Websites – Malicious content was hosted on legitimate publishing platforms to blend in with normal user-generated content (‘hosted on a legitimate publishing platform’)
  • [T1566.002 ] Phishing: Spearphishing Link – The lure relied on deceptive advice pages and look-alike documentation to entice victims to follow malicious guidance (‘helpful advice on macOS-related issues’)
  • [T1036.005 ] Masquerading: Match Legitimate Name or Location – Several subdomains impersonated trusted brands or docs, such as a fake Claude Code documentation page (‘possibly impersonates official Claude Code docs’)

Indicators of Compromise

  • [Domains/Subdomains] malicious and suspicious infrastructure – apple-mac-fix-hidden[.]medium[.]com, claudecodedoc[.]squarespace[.]com, rapidfilevault4[.]cyou, rapidfilevault5[.]sbs, tmcnex[.]com, quantumdataserver5[.]homes, coco2-hram[.]com, res2erch-sl0ut[.]com
  • [IP Addresses] network infrastructure and historical resolution data – 199[.]217[.]98[.]33, 141 additional IP addresses, and 8 IP IoCs total
  • [Email Addresses] historical WHOIS contacts used for reverse WHOIS expansion – 375 unique email addresses, including 50 public email addresses
  • [Email-connected Domains] domains linked through historical email records, some weaponized – woupp[.]com, atcoconst[.]com, cvols[.]com, ejecen[.]com, rvdownloads[.]com, and 687 more domains
  • [DNS Resolution Data] historical domain/IP activity – ptrei[.]com (918 resolutions), aforvm[.]com (608 resolutions), lakhov[.]com (560 resolutions), jpbassin[.]com (515 resolutions)
  • [Network Communication Data] observed victim and client communications – 11 client IPs communicated with 14 domain IoCs; 119 victim-owned IPs communicated with 5 IP IoCs


Read more: https://circleid.com/posts/macos-clickfix-campaign-delivers-amos-and-other-infostealers-a-dns-deep-dive