In recent years, macOS devices have been relatively safe from malware attacks compared to other operating systems like Windows. However, the trend is changing, with macOS devices increasingly becoming a target for cybercriminals. This fact is evident in the latest malware called Atomic macOS Stealer (AMOS), which bad actors advertise on Telegram for $1000 per month. The AMOS can steal various types of information from the victim’s machine, as outlined below.
Information stolen by AMOS
AMOS can harvest a lot of information from the victim’s macOS device, including the macOS password, files from the desktop and documents folder, system information, and Keychain passwords. In addition, the malware can extract data from web browsers and cryptocurrency wallets like Atomic, Binance, Coinomi, Electrum, and Exodus.
Features of the macOS Atomic Stealer
“The AMOS” is a sophisticated malware that is capable of a wide range of malicious activities. For instance, it can take the form of an unsigned disk image file (Setup.dmg), and when executed, it deceives the victim into entering their system password on a fake prompt, in order to gain permission to carry out its malicious activities. Additionally, it can extract system metadata, files, iCloud Keychain, as well as information stored in web browsers such as passwords, autofill details, cookies, credit card data, and even crypto wallet extensions.
Execution of malware through a bogus prompt
To execute the AMOS malware, attackers use a bogus prompt that tricks victims into entering their system password, and once this is done, AMOS uses privilege escalation to initiate its malicious activities. Victims who fall into this trap may end up losing valuable personal and financial information without even noticing it.
Possible Initial Intrusion Vectors
While it is challenging to isolate the initial vector of attack, it is likely that users are manipulated into downloading and executing the malware under the guise of legitimate software. Attackers are known to disguise their malware in enticing software titles and interactive games, among other things, which lure macOS users to install and launch the malicious software.
Methods of Malware Installation
Attackers use various methods to install malicious software, which may include exploiting vulnerabilities or hosting on phishing websites. For instance, attackers can create phishing pages that replicate legitimate websites, trick users into submitting their login credentials, and then use such details to steal more valuable data.
Information harvested by AMOS
The AMOS malware works by extracting valuable data from the victim’s machine, which attackers can use for identity theft, financial fraud, or even extortion. Additionally, this malware compresses all the information obtained from these sources into a ZIP archive, which is transmitted to a remote server.
Transmitting of compiled information to pre-configured Telegram channels
The automated transfer of information to a remote server is already a source of concern. What’s even more alarming is how the information is transmitted to pre-configured Telegram channels. Once the information is received, bad actors can use it for various malicious intentions, as explained earlier.
Implications of AMOS on the Growing Targeting of macOS by Malicious Actors
Interestingly, this development is another sign that macOS is increasingly becoming a lucrative target beyond nation-state hacking groups. The primary reason behind this shift may be due to the growing number of individuals, companies, or institutions that use Mac devices. As a result, malicious actors have turned their attention to macOS with the aim of creating more sophisticated malware to exploit its weaknesses.
With the AMOS malware already in circulation, it is up to individual macOS users to take proactive measures to ensure their devices are secure. This includes avoiding installing software from untrusted sources, keeping up with software updates, and investing in reliable antivirus software. Ultimately, users need to be aware of the growing threat to macOS devices and take steps to protect their privacy and security.
