• Home
  • |
  • Blog
  • |
  • Protecting Your macOS Device From Atomic macOS Stealer Malware- AMOS Malware
Protecting Your macOS Device From Atomic macOS Stealer Malware- AMOS Malware

It is a known fact that Apple is growing its market in smartphones to mac books by releasing powerful exciting and more productive products over the years. This made threat actors create more malware programs to target Apple’s products. If you have been following cybersecurity blogs or intelligence for a year, MacStealer, RustBucket, and DazzleSpy are a few good examples, which show how threat actors are actively working on macOS exploits. There is a new addition to this list. Atomic macOS Stealer Malware (AMOS Malware).

Cyble Research and Intelligence Labs (CRIL) recently uncovered a Telegram channel promoting a new information-stealing malware, dubbed Atomic macOS Stealer (AMOS). This malware is specifically engineered to target macOS users and pilfer sensitive information from their devices. The research team also reveals that the authors of this information stealer are kept on sale on a telegram channel for a hefty price of $1,000 per month. Let’s dive deep into this report published by Cyble Research and Intelligence Labs.

Capabilities of the Atomic macOS Stealer Malware

Before we start the technical details, let’s see what the information stealer can do. AMOS is engineered to extract a wide array of information from compromised devices.

  1. Keychain passwords
  2. Comprehensive system information
  3. Files from the desktop and documents folder
  4. macOS password
Keychain password extraction by AMOS Malware

(Source: cyble.com) Keychain password extraction

According to Cyble researchers, the Atomic macOS Stealer malware is also capable of extracting information such as auto-fill data, passwords, cookies, wallets, and credit card information from multiple web browsers and various cryptocurrency wallets, including Atomic, Binance, Coinomi, Electrum, and Exodus. Moreover, the developers provide threat actors with a ready-to-use web panel for efficiently managing their victims.

Authors of the Atomic macOS Stealer malware are consistently refining the malware, introducing new capabilities to enhance its effectiveness. The most recent update to the malware was publicized on April 25th via a Telegram post, showcasing its latest features. This move has made the malware an even more dangerous threat not only for macOS users but for crypto-wallet users too.

What Atomic macOS Stealer Malware Promised to Sell to Their Clients (Threat Actors)?

Authors of the Atomic macOS Stealer malware offer these services to their clients for the cost of $1000 per month.

  1. A web panel for managing victims
  2. MetaMask brute-forcing for stealing seed and private keys
  3. Crypto checker
  4. DMG installer

After successfully infiltrating a victim’s device, the TA shares the stolen data logs via Telegram.

Deceptive Delivery and Infiltration Techniques

As per the technical details shared by CRIL, The Atomic macOS Stealer disguises itself as an unsigned disk image file (Setup.dmg). Once executed, the malware prompts the victim to enter their system password on a fake prompt. This tactic, also employed by MacStealer, allows the malware to escalate privileges and perform its malicious activities.

See Also  A Step-by-step Guide to Configure SSL/TLS for MySQL on Linux

If you want to know about the infiltration technique, researchers say that the infiltration technique still remains unclear. However, it is likely that users are tricked into downloading and executing the malicious software, believing it to be legitimate. For instance, the Atomic stealer artifact discovered on VirusTotal on April 24, 2023, was named “Notion-7.0.6.dmg,” masquerading as the popular note-taking app. Other samples found by the MalwareHunterTeam were distributed as “Photoshop CC 2023.dmg” and “Tor Browser.dmg.” All that matters is the delivery of the malware, it doesn’t matter either by exploiting system vulnerabilities or served by phishing websites or emails.

Data Exfiltration and Transmission Process

Exfiltrated data

(Source: cyble.com) Exfiltrated data

Upon successful infiltration, Atomic macOS Stealer proceeds to gather system metadata, files, iCloud Keychain, and information stored in web browsers (e.g., passwords, autofill, cookies, credit card data) and crypto wallet extensions. The collected data is compressed into a ZIP archive and transmitted to a remote server hxxp[:]//amos-malware[.]ru/sendlog by encoding the ZIP file in Base64 format. The ZIP file containing the compiled information is then forwarded to pre-configured Telegram channels. Please read the complete technical analysis here.

Collected system information by Atomic macOS Stealer Malware

(Source: cyble.com) Collected system information

How to Protect Your macOS Device From Atomic macOS Stealer Malware?

To fortify your defenses against cyber threats like the Atomic macOS Stealer malware, it is crucial to follow a set of cybersecurity best practices. These proactive measures create a robust first line of defense against attackers and help ensure the safety of your data and devices. Below is a list of recommended best practices for macOS users:

  1. Download software from trusted sources: Always download and install software from the official Apple App Store to minimize the risk of installing malicious applications.
  2. Invest in reputable security software: Use a reliable antivirus and internet security software package to protect your system from malware and other threats.
  3. Create strong passwords and enable multi-factor authentication: Use unique, complex passwords for all your accounts and enable multi-factor authentication wherever possible to add an extra layer of security.
  4. Utilize biometric security features: Enable biometric security features, such as fingerprint or facial recognition, to unlock your device and add another layer of protection.
  5. Exercise caution with email links: Be cautious when opening links received via email, especially if they are from unknown senders, as these could be phishing attempts or lead to malicious websites.
  6. Manage permissions carefully: Be mindful when granting permissions to apps and websites, ensuring that you only give access to essential features and services.
  7. Keep your devices and software updated: Regularly update your devices, operating systems, and applications to patch vulnerabilities and improve overall security.

By adhering to these cybersecurity best practices, macOS users can significantly enhance their protection against cyber threats and minimize the risk of falling victim to attackers.

Corporate companies should collect all the IOCs and block them on their all perimeter security devices. If possible, conduct an audit or scan for the persistence of the malware file or network communication.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
ExecutionT1204.002User Execution: Malicious File
Credential AccessT1110Brute Force
Credential AccessT1555.001Keychain
Credential AccessT1555.003Credentials from Web Browsers
DiscoveryT1083File and Directory Discovery
Command and ControlT1132.001Data Encoding: Standard Encoding
ExfiltrationT1041Exfiltration Over C&C Channel

Indicator of Compromise:

Crypto Wallet Extension

The table below lists the crypto wallets with respective browser extension IDs targeted by the malware.

See Also  CVE-2022-0513- Fix The Critical SQL Injection Vulnerability In WP Statistics WordPress Plugin
acmacodkjbdgmoleebolmdjonilkdbchRabby Wallet
aeachknmefphepccionboohckonoeemgCoin98 Wallet
afbcbjpbpfadlkmhmclhkeeodmamcflcMath Wallet
aholpfdialjgjfhomihkjbmgjidlcdnoExodus Web3 Wallet
aiifbnbfobpmeekipheeijimdpnlpgppStation Wallet
amkmjjmmflddogmhpjloimipbofnfjihWombat – Gaming Wallet for Ethereum & EOS
apnehcjmnengpnmccpaibjmhhoadaicoCWallet
bcopgchhojmggmffilplmbdicgaihlkpHycon Lite Client
bfnaelmomeimhlpmgjnjophhpkkoljpaPhantom
bocpokimicclpaiekenaeelehdjllofoXDCPay
cgeeodpfagjceefieflmdfphplkenlfkEVER Wallet
cihmoadaighcejopammfbmddcmdekcjeLeafWallet
cjelfplplebdjjenllpjcblmjkfcffneJaxx Liberty
cjmkndjhnagcfbpiemnkdpomccnjblmjFinnie
cmndjbecilbocjfkibfbifhngkdmjgogSwash
cnmamaachppnkjgnildpdmkaakejnhaeAuro
copjnifcecdedocejpaapepagaodgpbhFreaks Axie
cphhlgmgameodnhkjdmkpanlelnlohaoNeoLine
dhgnlgphgchebgoemcjekedjjbifijidCrypto Airdrops & Bounties
dkdedlpgdmmkkfjabffeganieamfklkmCyano
dmkamcknogkgcdfhhbddcghachkejeapKeplr
efbglgofoippbgcjepnhiblaibcnclgkMartian Wallet for Sui & Aptos
egjidjbpglichdcondbcbdnbeeppgdphTrust Wallet
ffnbelfdoeiohenkjibnmadjiehjhajbYoroi
fhbohimaelbohpjbbldcngcnapndodjpBinanceChain
fhilaheimglignddkjgofkcbgekhenbhOxygen
flpiciilemghbmfalicajoolhkkenfelICONex
fnjhmkhhmkbjkkabndcnnogagogbneecRonin
fnnegphlobjdpkhecapkijjdkgcjhkibHarmony Wallet
hcflpincpppdclinealmandijcmnkbgnKHC
hmeobnfnfcmdkdcmlblgagmfpfboieafXDEFI
hnfanknocfeofbddgcijnmhnfnkdnaadCoinbase
hnhobjmcibchnmglfbldbfabcgaknlkjFlint Wallet
hpglfhgfnhbgpjdenjgmdgoeiappaflnGuarda
ibnejdfjmmkpcnlpebklmnkoeoihofecTronLink
imloifkgjagghnncjkhggdhalmcnfklkTrezor Password Manager
jojhfeoedkpkglbfimdfabpdfjaoolafPolymesh
klnaejjgbibmhlephnhpmaofohgkpgkdZilPay
kncchdigobghenbbaddojjnnaogfppfjiWallet
kpfopkelmapcoipemfendmdcghnegimnLiquality
lodccjjbdhfakaekdiahmedfbieldgikDAppPlay
mfhbebgoclkghebffdldpobeajmbecfkStarcoin
mnfifefkajgofkcjkemidiaecocnkjehTezBox
nhnkbkgjikgcigadomkphalanndcapjkCLW
nkbihfbeogaeaoehlefnkodbefgpgknnMetamask
nknhiehlklippafakaeklbeglecifhadNabox
nlbmnnijcnlegkjjpcfjclmcfggfefdmMewCx
nlgbhdfgdhgbiamfdfmbikcdghidoaddByone
nphplpgoakhhjchkkhmiggakijnkhfndTon
ookjlbkiijinhpmnjffcofjonbfbgaocTemple
pdadjkfkgcafgbceimcpbkalnfnepbnkKardiaChain
pnndplcbkakcplkjnolgbkdgjikjednmTron Wallet & Explorer – Tronium
pocmplpaccanhmnllbbkpgfliimjljgoSlope
ppdadbejkmjnefldpcdjhnkpbjkikoipOasis

Command and Control (C&C)

  • hxxp[:]//amos-malware[.]ru/sendlog
  • amos-malware[.]ru

Setup.dmg

  • 5e0226adbe5d85852a6d0b1ce90b2308
  • 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a
  • 15f39e53a2b4fa01f2c39ad29c7fe4c2fef6f24eff6fa46b8e77add58e7ac709

We hope this post would help you know know how to protect your macOS device from Atomic macOS Stealer Malware (AMOS Malware). Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, Medium & Instagram, and subscribe to receive updates like this. 

Frequently Asked Questions:

1. What is the Atomic macOS Stealer Malware (AMOS Malware)?

Atomic macOS Stealer Malware (AMOS) is a new information-stealing malware specifically designed to target macOS users and steal sensitive information from their devices. It has been promoted on a Telegram channel and is sold for a hefty price of $1,000 per month.

2. What are the capabilities of AMOS Malware?

AMOS is capable of extracting various types of information from compromised devices, including keychain passwords, comprehensive system information, files from the desktop and documents folder, and macOS passwords. It can also steal auto-fill data, passwords, cookies, wallets, and credit card information from web browsers and cryptocurrency wallets.

4. How does AMOS Malware exfiltrate and transmit data?

Once it infiltrates a macOS device, the malware gathers system metadata, files, iCloud Keychain, and information stored in web browsers and crypto wallet extensions. The collected data is compressed into a ZIP archive and transmitted to a remote server by encoding the ZIP file in Base64 format. The ZIP file is then forwarded to pre-configured Telegram channels.

5. How can macOS users protect themselves from AMOS Malware?

MacOS users can follow cybersecurity best practices to protect their devices from AMOS Malware, such as downloading software from trusted sources, using reputable security software, creating strong passwords and enabling multi-factor authentication, utilizing biometric security features, being cautious with email links, managing permissions carefully, and keeping devices and software updated.

6. What should corporate companies do to protect against AMOS Malware?

Corporate companies should collect all the IOCs (Indicators of Compromise) related to AMOS Malware and block them on their perimeter security devices. They should also conduct audits or scans for the persistence of the malware file or network communication if possible.

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.