Threat actors are advertising a new information stealer for the Apple macOS operating system called Atomic macOS Stealer (or AMOS) on Telegram for $1,000 per month, joining the likes of MacStealer.
“The Atomic macOS Stealer can steal various types of information from the victim’s machine, including Keychain passwords, complete system information, files from the desktop and documents folder, and even the macOS password,” Cyble researchers said in a technical report.
Among other features include its ability to extract data from web browsers and cryptocurrency wallets like Atomic, Binance, Coinomi, Electrum, and Exodus. Threat actors who purchase the stealer from its developers are also provided a ready-to-use web panel for managing the victims.
The malware takes the form of an unsigned disk image file (Setup.dmg) that, when executed, urges the victim to enter their system password on a bogus prompt to escalate privileges and carry out its malicious activities — a technique also adopted by MacStealer.
The initial intrusion vector used to deliver the malware is immediately not clear, although it’s possible that users are manipulated into downloading and executing it under the guise of legitimate software.
The Atomic stealer artifact, submitted to VirusTotal on April 24, 2023, also bears the name “Notion-7.0.6.dmg,” suggesting that it’s being propagated as the popular note-taking app. Other samples unearthed by the MalwareHunterTeam are distributed as “Photoshop CC 2023.dmg” and “Tor Browser.dmg.”
“Malware such as the Atomic macOS Stealer could be installed by exploiting vulnerabilities or hosting on phishing websites,” Cyble noted.
Learn to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
Atomic then proceeds to harvest system metadata, files, iCloud Keychain, as well as information stored in web browsers (e.g., passwords, autofill, cookies, credit card data) and crypto wallet extensions, all of which are compressed into a ZIP archive and sent to a remote server. The ZIP file of the compiled information is then sent to pre-configured Telegram channels.
The development is another sign that macOS is increasingly becoming a lucrative target beyond nation-state hacking groups to deploy stealer malware, making it imperative that users only download and install software from trusted sources, enable two-factor authentication, review app permissions, and refrain from opening suspicious links received via emails or SMS messages.