Pierluigi Paganini April 29, 2023

Atomic macOS Stealer is a new information stealer targeting macOS that is advertised on Telegram for $1,000 per month.

Cyble Research and Intelligence Labs (CRIL) recently discovered a Telegram channel advertising a new information-stealing malware, named Atomic macOS Stealer (AMOS). The malware targets macOS, it was designed to steal sensitive information from the infected systems.

The researchers reported that the Atomic macOS Stealer is constantly improved by its authors, the most recent update was announced via the Telegram channel on April 25th.

The Atomic macOS Stealer allows operators to can steal various types of information from the infected machines, including Keychain passwords, complete system information, files from the desktop and documents folder, and even the macOS password.

The malware is able to steal data from multiple browsers, including auto-fills, passwords, cookies, wallets, and credit card information. AMOS can target multiple cryptowallets such as Electrum, Binance, Exodus, Atomic, and Coinomi.

“The TA also provides additional services such as a web panel for managing victims, meta mask brute-forcing for stealing seed and private keys, crypto checker, and dmg installer, after which it shares the logs via Telegram. These services are offered at a price of $1000 per month.” reads the report published by Cyble.

The threat actors spread the malware in the form of a ‘.dmg’ file (Setup.dmg), upon executing it, the malicious code attempts to trick victims into entering their system password on a fake prompt. The malware also targets the password management tool using the main_keychain() function to extract sensitive information from the target machine.

Harvested data are compressed in a ZIP archive and encoded using Base64 format for exfiltration. The ZIP file is then sent to pre-configured Telegram channels.

“Due to its robust security features, macOS is the preferred operating system for numerous high-profile individuals. Targeting macOS is not a novel trend, and various malware families exist that specifically aim to infiltrate this operating system.” concludes the report. “Malware such as the Atomic macOS Stealer could be installed by exploiting vulnerabilities or hosting on phishing websites. Threat Actors can use the stolen data for espionage or financial gain. While not commonplace, macOS malwares can have devastating impacts on victims.”

Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Atomic macOS Stealer)