Atomic macOS Malware Steals Auto-fills, Passwords, Cookies, Wallets

Recently, the cybersecurity researchers at Cyble discovered a new macOS malware, ‘Atomic’ (aka ‘AMOS’), sold for $1,000/month on private Telegram channels.

Buyers pay a high price to receive a DMG file containing a 64-bit Go-based malware, which is specifically programmed to target macOS systems and steal the following data:

• Keychain passwords
• Files from the local filesystem
• Passwords
• Cookies
• Credit cards stored in browsers
• Complete system information

This macOS malware is also programmed to target cryptocurrency users by attempting to steal valuable data from over 50 popular cryptocurrency extensions. 

This tactic is part of a troubling trend among information-stealing malware, which has identified cryptocurrency users as a lucrative target for their illicit activities.

Additional Services

Apart from this, it has been observed that the threat actors behind this information stealer are constantly evolving this info-stealer with new features, which have been marked as an actively developed project.

On April 25th, the most recent update to the malware was showcased in a Telegram post. The operators provide several additional services, and here below we have mentioned them:-

• Web panel for managing victims
• Meta mask brute-forcing
• Stealing seed
• Stealing private keys
• Crypto checker
• Dmg installer

Technical Analysis

By adopting the same technique as MacStealer, the malware is disguised as an unsigned disk image file named Setup.dmg. 

Upon execution, it prompts the victim to enter their system password on a fake prompt to gain escalated privileges and execute illicit activities.

It remains unclear how the malware is initially delivered to users. Still, there is a possibility that it is disguised as authentic software to trick users into downloading and executing it.

The name of the Atomic stealer artifact, which was submitted to VirusTotal on April 24, 2023, is “Notion-7.0.6.dmg.” This name indicates that the malware is being circulated as the widely used note-taking application.

Here below, we have mentioned the other samples that were detected:-

• Photoshop CC 2023.dmg
• Tor Browser.dmg

Installing the Atomic macOS, Stealer malware could occur through exploiting system vulnerabilities or being hosted on phishing websites.

Besides capturing the system password, the malware extracts sensitive data from the victim’s machine by exploiting the main_keychain() function, which targets the password management tool.

Operators of Atomic can directly steal files from the victim’s ‘Desktop’ and ‘Documents’ directories using its capabilities.

Despite its file-stealing capabilities, the malware still needs to ask for permission to access these files, which gives victims a chance to detect malicious activities.

The Atomic macOS stealer compresses the stolen data into ZIP and then encodes it before exfiltration using Base64 format. The stealer transmits the stolen data to the following C&C server URL via communication:-

• hxxp[:]//amos-malware[.]ru/sendlog

While macOS is not as popular as Windows for malicious info-stealer activity, threat actors of all skill levels are increasingly targeting it.

Recommendations

Here below, we have mentioned the recommendations offered by the security experts:-

• Make sure to download the software from the official Apple App Store only.
• You must use a reputed AV tool.
• Do not use any used or exposed passwords.
• Always use strong and unique passwords.
• Make sure to enable biometric security features.
• Do not open any attachments or links you received from an unknown sender in the email.
• Always keep your system and device up-to-date.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus