Attackers are promoting a new information-stealing program for Apple’s macOS operating system. Atomic macOS Stealer (or AMOS) is available on Telegram for $1,000/month, joining MacStealer and others.
“Atomic macOS Stealer can steal many different types of information from a victim’s machine, including keychain passwords, full system information, desktop and Documents folder files, and even macOS passwords,” says Cyble. researchers said. Said in a technical report.
Other features include the ability to extract data from web browsers and cryptocurrency wallets such as Atomic, Binance, Coinomi, Electrum and Exodus. Attackers who purchase the stealer from the developer are also provided with a ready-to-use web panel to manage their victims.
The malware takes the form of an unsigned disk image file (Setup.dmg) and when executed prompts the victim to enter the system password at a fake prompt, escalates privileges and creates a malicious carry out an activity. This technique is also used in his MacStealer. .
Although the initial intrusion vector used to distribute the malware is not immediately known, users may be manipulated into downloading and executing malware under the guise of legitimate software.
Atomic Stealer Artifact, Submit to VirusTotal On April 24, 2023, it was also named “Notion-7.0.6.dmg”, suggesting it was advertised as a popular note-taking app.Other samples excavated By MalwareHunterTeamPhotoshop CC 2023.dmg” and “Tor Browser.dmg.”
โMalware such as Atomic macOS Stealer can be installed by exploiting vulnerabilities or by hosting phishing websites,โ Cyble said.
Learn how to stop ransomware with real-time protection
Join our webinar to learn how real-time MFA and service account protection can stop ransomware attacks.
Atomic then collects system metadata, files, iCloud Keychain, and information stored in web browsers (passwords, autofills, cookies, credit card data, etc.) and cryptographic wallet extensions, all of which are stored in ZIP Compressed into an archive and sent. to a remote server. A ZIP file of compiled information is sent to a preconfigured Telegram channel.
This development is another sign that macOS is becoming a lucrative target for deploying stealer malware beyond nation-state hacking groups. Users should only download and install software from trusted sources, enable two-factor authentication, review app permissions, and exercise self-restraint. Protects against opening suspicious links received via email or her SMS messages.
