In the past few years, the macOS has increasingly become a popular target for cybercriminals deploying malware. In particular, threat actors have been targeting macOS users with various families of malware, including RustBucket, DazzleSpy, and MacStealer. Recently, Cyble researchers discovered a new information-stealing malware called Atomic macOS Stealer (AMOS) being advertised on Telegram. This article delves into the technical details of the malware, the latest update, and its impact on macOS users.
AMOS is designed to target macOS and can steal various types of information, including keychain passwords, complete system information, files from the desktop and documents folder, and even the macOS password. The malware is designed to target multiple browsers and can extract auto-fills, passwords, cookies, wallets, and credit card information. In particular, AMOS can target popular crypto wallets such as Electrum, Binance, Exodus, Atomic, and Coinomi.
The TA behind AMOS constantly updates the malware and adds new capabilities to make it more effective. The latest update to the malware was highlighted in a Telegram post on April 25th, showcasing its latest features. The TA provides additional services such as a web panel for managing victims, meta mask brute-forcing for stealing seed and private keys, crypto checker, and dmg installer, after which it shares the logs via Telegram. These services are offered at a price of $1000 per month.
The Atomic macOS Stealer takes the form of an unsigned disk image file (Setup.dmg) that, when executed, displays a fake password prompt to escalate privileges and carry out its malicious activities. The malware’s initial intrusion vector is not immediately clear, but it is possible that users are manipulated into downloading and executing it under the guise of legitimate software.
The TA behind AMOS distributes the malware using a ‘.dmg’ file, including a Mac OS X executable, located at “/Setup.app/Contents/macOS/My Go Application.app” and is a 64-bit Golang executable file.
Once a user executes the file, the malware harvests system metadata, files, iCloud Keychain, as well as information stored in web browsers (e.g., passwords, autofill, cookies, credit card data) and crypto wallet extensions. The information is then compressed into a ZIP archive and sent to a remote server. The ZIP file of the compiled information is then sent to pre-configured Telegram channels.
The development of AMOS is another sign that macOS is increasingly becoming a lucrative target for cybercriminals to deploy stealer malware. Therefore, it is imperative that users only download and install software from trusted sources, enable two-factor authentication, review app permissions, and refrain from opening suspicious links received via emails or SMS messages.
Found this article interesting? Follow us on Twitter and Linkedin to read more exclusive content we post.
