Threat actors announce a new information stealer for the Apple macOS operating system called Atomic macOS Stealer (or AMOS) on Telegram for $1,000 a month, joining the likes of MacStealer.
“Atomic macOS Stealer can steal various types of information from the victim’s machine, including keychain passwords, full system information, desktop files and documents folder, and even the password of macOS,” Cyble researchers said in a technical report.
Among other features, it includes its ability to extract data from web browsers and cryptocurrency wallets such as Atomic, Binance, Coinomi, Electrum and Exodus. Threat actors who purchase the steal from its developers also receive a ready-to-use web dashboard to manage victims.
The malware takes the form of an unsigned disk image file (Setup.dmg) that, when executed, prompts the victim to enter their system password in a fake message to elevate privileges and hard carry out their malicious activities, a technique also adopted by MacStealer. .
The initial intrusion vector used to deliver the malware is not immediately clear, although it is possible that users are tricked into downloading and running it under the guise of legitimate software.
The Atomic heist artifact, submitted to VirusTotal on April 24, 2023, is also named “Notion-7.0.6.dmg,” suggesting that it is being propagated as a popular note-taking app. Other samples unearthed from the MalwareHunterTeam are distributed as “Photoshop CC 2023.dmg” and “Tor Browser.dmg”.
“Malware like the Atomic macOS Stealer could be installed by exploiting vulnerabilities or hosting on phishing websites,” Cyble noted.
Atomic then proceeds to collect system metadata, files, iCloud Keychain, as well as information stored in web browsers (eg passwords, autofill, cookies, credit card details) and crypto wallet extensions, all compressed into a ZIP file and sent. to a remote server. The ZIP file of the collected information is sent to pre-configured Telegram channels.
The development is another sign that macOS is increasingly becoming a lucrative target beyond nation-state hacking groups to deploy stealthy malware, making it imperative that users only download and install software from trusted sources, enable two-factor authentication, review app permissions, and abstain. from opening suspicious links received by e-mail or SMS messages.
Ikaroa is closely monitoring the recent discovery of a new type of malware that is targeting macOS systems. This new type of malware, referred to as a “Atomic macOS”, has been found to have the ability to steal keychain passwords and crypto wallets. The malicious code works by executing a fake-looking application to initiate the attack, which then attempts to access the targeted machine’s Keychain password storage and crypto wallets.
Ikaroa takes this threat very seriously, as macOS Keychain passwords and crypto wallets often store valuable data and credentials. These credentials can be used to access bank accounts or other sensitive data if compromised. We advise all macOS users to ensure that their systems are updated with the latest OS patches, install anti-virus software, and exercise enhanced vigilance for suspected malicious activities.
Ikaroa strongly recommends macOS users take action to protect their data from the malicious Atomic macOS malware. This is especially true for those who already store sensitive data, such as passwords and crypto wallets, on their Apple systems. Ikaroa offers a full suite of protection that can be implemented to detect and prevent this type of attack. We are committed to keeping our customers safe, so please do not hesitate to reach out for more information.