Threat actors have introduced a new information stealer targeting Apple macOS operating systems, known as Atomic macOS Stealer (AMOS), sold on Telegram for $1,000 monthly. This malware joins the notorious ranks of similar malware, such as MacStealer.
According to a detailed report by Cyble researchers, the Atomic macOS Stealer can steal a wide range of information from the victim’s computer. That includes Keychain passwords, comprehensive system data, crypto wallet data, files from the desktop and documents folder, and even the macOS password itself.
Key Features of the Atomic macOS Stealer
The Atomic macOS Stealer stands out because it can extract valuable data from web browsers and cryptocurrency wallets, including Atomic, Binance, Coinomi, Electrum, and Exodus. Moreover, when threat actors purchase the stealer from its developers, they receive a ready-to-use web panel for managing their victims.
This insidious malware is delivered as an unsigned disk image file (Setup.dmg) that, when executed, prompts the victim to enter their system password on a fake prompt. By doing so, the malware escalates its privileges and initiates its malicious activities, a technique also employed by MacStealer.
Infiltration Tactics and Distribution Methods
The specific method to deliver the Atomic macOS Stealer is not immediately apparent. However, victims are likely deceived into downloading and executing the malware, believing it to be legitimate software.
The Atomic stealer artifact, submitted to VirusTotal on April 24, 2023, bears the name “Notion-7.0.6.dmg.” That indicates it may be masquerading as the well-known note-taking application. The MalwareHunterTeam has also discovered other samples distributed as “Photoshop CC 2023.dmg” and “Tor Browser.dmg.”
Cyble researchers have noted that malware like the Atomic macOS Stealer could be installed by exploiting system vulnerabilities or hosting malicious software on phishing websites.
How the Atomic macOS Stealer Operates
Once installed, the Atomic macOS Stealer gathers system metadata, files, iCloud Keychain, and information stored in web browsers (such as passwords, autofill data, cookies, and credit card information) and crypto wallet extensions.
This collected data is compressed into a ZIP archive and sent to a remote server. Finally, the compiled information’s ZIP file is transmitted to pre-configured Telegram channels.
The Growing Importance of macOS Security
The emergence of the Atomic macOS Stealer serves as a stark reminder that macOS is increasingly becoming an attractive target for cybercriminals, not just nation-state hacking groups.
Consequently, users must take necessary precautions. That includes downloading and installing software only from trusted sources, enabling two-factor authentication, and reviewing app permissions. It is also worth avoiding suspicious links received through emails or SMS messages.
By following these guidelines and remaining vigilant, users can better protect themselves from the growing threat of advanced malware like the Atomic macOS Stealer.
Please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. CryptoMode is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.