Beware of the Atomic macOS Stealer: A new malware that targets Mac users

Most often than not most Mac users are naive as they are under the false impression that their devices are more secure than the other devices using different operating systems such as the Windows or Linux, unfortunately that may not hold true anymore.

A new malware that has been recently branded as the Atomic macOS Stealer (AMOS) is being sold across Telegram for $1,000 per month, and without the Mac user getting any inkling whatsoever, the said malaware can quitely steal a wide range of sensitive information from the victim’s machine.

As per a report submitted for perusal Cyble Research and Intelligence Labs (CRIL), AMOS is specifically designed to target macOS platforms and can extract autofill information, passwords, wallets, credit card information, files, and more from the victim’s machine. The malware can also target multiple browsers and cryptocurrency wallets, making it a serious threat for Mac users who store or transact with digital currencies.

The malware is being clandestinely sold by a threat actor named Atomic who claims to have over 100 customers and offers a free trial for potential buyers. The threat actor also provides additional services such as a web panel for managing victims, meta mask brute-forcing to steal seed and private keys, a crypto checker, and a dmg installer, after which the logs are shared via Telegram.

The malware is written in Python and uses PyInstaller to create a standalone executable file. The malware uses a fake system dialog box to trick users into entering their system password, which allows it to access the keychain and other protected data. The malware then scans for sensitive information, which it steals with the system password if necessary, and sends it to a remote server.

The malware is distributed via phishing emails or malicious websites that trick users into downloading and running it. The malware is one of the first to target Apple Silicon Macs, which have a different architecture than Intel-based Macs. The malware can also bypass macOS Gatekeeper and encrypt the stolen data before sending it to the attacker.

The malware is part of a growing trend of cryptominers targeting macOS platforms, which accounted for almost 40% of all malware detections on Macs in 2023. Cryptominers are malicious programs that use the victim’s computing resources to mine cryptocurrencies without their consent or knowledge. Cryptominers can slow down the system performance, increase the power consumption, and cause overheating issues.

Mac users are advised to update their systems regularly, avoid clicking on suspicious links or attachments, and use reputable antivirus software to protect themselves from the malware. Mac users should also use strong passwords and enable multi-factor authentication wherever possible. They should also be wary of enabling any permissions or entering their system password for unknown applications.

AMOS is a new malware that poses a serious risk for Mac users who value their privacy and security. Mac users should be aware of this threat and take preventive measures to avoid becoming victims of this malicious software.

What actually is AMOS and how does it work?

AMOS is a new information-stealing malware that targets macOS platforms. It is sold on Telegram by a threat actor named Atomic who offers various services and features to his customers. AMOS can steal different types of information from the victim’s machine, such as:

Keychain passwords: These are passwords that are stored in the macOS keychain, which is a secure storage for passwords and other sensitive data. AMOS can access the keychain by using the system password that it obtains from the user through a fake dialog box.

System information: This includes information such as the device model, serial number, OS version, CPU type, RAM size, disk space, network interfaces, installed applications, etc. AMOS can use this information to identify the victim’s machine and its capabilities.

Files: AMOS can scan the desktop and documents folders for files that may contain valuable information. It can also search for specific file extensions such as .pdf, .docx, .xlsx, .pptx, etc.

Browser data: AMOS can target multiple browsers such as Chrome, Firefox, Brave, Edge, Vivaldi, Yandex and Opera. It can extract autofill information, passwords, cookies, credit card information and history from these browsers. It can also steal cryptocurrency wallets from browser extensions such as MetaMask.

Cryptocurrency wallets: AMOS can also target standalone cryptocurrency wallets such as Electrum, Binance, Exodus,Okay, I will write more till it is at least 1000 words. Here is a possible continuation of the article:

Atomic and Coinomi: It can extract seed phrases, private keys and wallet addresses from these wallets.

Other data: AMOS can also steal other types of data such as screenshots, clipboard content, camera snapshots, microphone recordings, etc. AMOS works by creating a .dmg file that contains the malware executable and a fake icon and name to lure the user into installing it.

The .dmg file can be sent to the user via email or downloaded from a malicious website. Once the user opens the .dmg file, they will see a fake system dialog box asking for their system password. If the user enters their password, the malware will be installed and run in the background.

The malware will then scan the victim’s machine for sensitive information and send it to a remote server controlled by the attacker. The malware will also encrypt the stolen data before sending it to prevent detection and analysis. The attacker can access the stolen data through a web panel or a Telegram channel.

How to protect yourself from AMOS and other malware?

AMOS is a new and sophisticated malware that can steal a lot of sensitive information from Mac users. However, there are some steps that Mac users can take to protect themselves from this and other malware. These include:

Update your system regularly: Apple releases security updates for macOS that can fix vulnerabilities and prevent malware infections. You should always keep your system up to date with the latest patches and updates.

Avoid clicking on suspicious links or attachments: Phishing emails and malicious websites are common ways of distributing malware. You should never click on links or attachments that you don’t trust or that look suspicious. You should also check the sender’s address and the URL of the website before clicking on anything.

Use reputable antivirus software: Antivirus software can detect and remove malware from your system. You should use a reputable antivirus software that has good ratings and reviews. You should also update your antivirus software regularly and scan your system frequently.

Use strong passwords and enable multi-factor authentication: Passwords are often the first line of defense against hackers and malware. You should use strong passwords that are long, complex and unique for each account. You should also enable multi-factor authentication wherever possible, which adds an extra layer of security by requiring a code or a device to log in.

Be wary of enabling any permissions or entering your system password for unknown applications: Malware often needs permissions or passwords to access sensitive data or run malicious code. You should be careful about enabling any permissions or entering your system password for applications that you don’t know or trust. You should also check the source and legitimacy of the application before installing it.

Conclusion

AMOS is a new and sophisticated malware that can steal a wide range of sensitive information from Mac users. It is sold on Telegram for $1,000 per month and offers various services and features to its customers. It can target multiple browsers and cryptocurrency wallets, as well as keychain passwords, system information, files and other data. It can also bypass macOS Gatekeeper and encrypt the stolen data before sending it to the attacker.

Mac users are advised to update their systems regularly, avoid clicking on suspicious links or attachments, use reputable antivirus software, use strong passwords and enable multi-factor authentication, and be wary of enabling any permissions or entering their system password for unknown applications. Mac users should be aware of this threat and take preventive measures to avoid becoming victims of this malicious software.