Mac malware: "Atomic macOS Stealer" steals passwords, browser data and crypto wallets

A relatively new piece of malware called Atomic macOS Stealer, short AMOS, is currently doing the rounds. The targets are Apple computers and the passwords, cryptocurrencies, browser data, files and more stored on them. In addition, the malware should be able to be used to inject further software and cause even more damage. The good thing is that AMOS cannot operate completely independently. Permissions are required to access the system, the query windows of which do not look real. So if you are attentive and follow the well-known design of macOS messages, you are as good as safe. But there are other protective measures.

Atomic macOS Stealer, or AMOS for short, is the name of a new, aggressive piece of malware that targets a wide variety of Apple Mac data. Here you can get an insight into the malware and tips for protection against it.
Atomic macOS Stealer, or AMOS for short, is the name of a new, aggressive piece of malware that targets a wide variety of Apple Mac data. Here you can get an insight into the malware and tips for protection against it.

AMOS is distributed as rental malware via Telegram

According to current studies, the Atomic macOS Stealer, whose individual functions are detailed below, is primarily used via the Messenger app Telegram offered for sale. There, criminals can secure the use of AMOS for 1.000 US dollars per month. The people who offer the malware carry out the data theft via their own command & control servers, so that they can be paid to remove the data obtained. At the same time, AMOS is constantly evolving to offer more and more features designed to steal online accounts, identities and money. A "File Grabber" function can also be used to copy files and folders from the attacked Mac.

Atomic macOS Stealer malware targets the Apple Mac

System

  • Keychain: Export all passwords from the Apple Keychain
  • System information: Complete data sheet of the system used (Mac model and operating system version)
  • File Grabber: Extracting files and folders from the user directories "Desktop" and "Documents"
  • Password: Reading out the account password used

Browser

  • Chrome: Form data (so-called autofill), passwords, cookies, wallets, debit or credit cards 
  • Firefox: autofill, cookies
  • Brave: Autofill, passwords, cookies, wallets, debit or credit cards
  • Edge: Autofill, passwords, cookies, wallets, debit or credit cards
  • Vivaldi: Autofill, passwords, cookies, wallets, EC or credit cards
  • Yandex: Autofill, cookies, wallets, debit or credit cards
  • Opera: Autofill, passwords, cookies, wallets, debit or credit cards
  • Opera GX: Autofill, passwords, cookies, wallets, debit or credit cards

Crypto wallets and plugins

  • Electrum
  • Binance
  • Exodus
  • Atomic
  • Coinomi
  • 60+ plugins like MetaMask, Phantom and others

Functions for using the malware

  • web usable space
  • MetaMask attacks with custom seed and key
  • Crypto checkers
  • Simple dmg installation file
  • Monitoring and notifications via Telegram
One way or another, the AMOS malware is offered via Telegram. Source: blog.cyble.com
One way or another, the AMOS malware is offered via Telegram. Source: blog.cyble.com

Malware Infection: How Does AMOS Get on Mac?

In order to get AMOS onto the victim's Mac, criminals have a wide variety of ways available via the Internet. So the installation file could have a Trojan Horse smuggled in or otherwise implemented via download on a website. The search engine query for a specific program, a link in an e-mail or a similar path can lead to this. Therefore, at this point, the tip again: do not click on any links that are sent to you from unknown sources! And if necessary, use another communication channel to ask people who allegedly sent you a link whether it was really sent by them. Well-known names can certainly appear in fake mails.

Is AMOS malware an acute threat to me and my Mac?

Here I would like to give a (small) yes and a (big) no. Because I don't think that private individuals are the goal of a targeted attack with AMOS. At a current price of $1.000 per month, I think the Atomic macOS Stealer will primarily target those criminals who target the systems of companies, organizations, government agencies and other institutions. In addition, political or otherwise socially active groups could become targets. However, an attack on private Mac computers cannot be ruled out, if only because payment data and crypto wallets are a target of AMOS. Here, I think the malware could be distributed via fake download websites and bulk emails.

How can you protect yourself against AMOS and other malware on the Mac?

It is very important that you pay attention to what prompts and other interactive windows look like after downloading and running a dmg or archive file. Because currently AMOS shows a simple window with a gear icon in it asking for the MacOS [sic!] password. macOS is written in lowercase. In addition, a simple input field is shown, the display of the name of the currently used account is missing. A real macOS password query looks different (see below). However, since the malware is constantly evolving, the design could change soon. So pay extra attention.

The installation and authorization query of Atomic macOS Stealer currently looks something like this. The fake password query in particular should set off all alarm bells. Source: blog.cyble.com
The installation and authorization query of Atomic macOS Stealer currently looks something like this. The fake password query in particular should set off all alarm bells. Source: blog.cyble.com
To show you real password challenges, I used a content download in GarageBand and a download from the Mac App Store. On the left you can see the password prompt for the currently used account under macOS on the Apple Mac. On the right you can see the Touch ID query for the app installation. System used: macOS Ventura.
To show you real password challenges, I used a content download in GarageBand and a download from the Mac App Store. On the left you can see the password prompt for the currently used account under macOS on the Apple Mac. On the right you can see the Touch ID query for the app installation. System used: macOS is coming.

There are also these tips and recommendations for protection against malware on the Mac:

  • Do not open any links emailed to you by unknown Sender addresses are presented
  • Doesn't open links that unknown send you otherwise (Messenger, iMessage, AirDropEtc.).
  • Take a close look at the windows for requesting access rights and passwords
  • Also ask yourself whether the downloaded app should really need the requested access
  • Does the one you are looking for exist? App also in the official Mac App Store, then download it there
  • Use strong passwords (2+ characters with numbers, uppercase and lowercase letters, special characters, etc.) and enable two-factor authentication (XNUMXFA) wherever possible
  • Better to use it where possible pass keys, Touch ID and/or Face ID as traditional passwords
  • Always installs the latest version of the operating system (macOS, iOS, iPadOS, watchOS, etc.) to close known security gaps

Source and further information on the topic

Served as a source for this post this post in the Cyble Research & Intelligence Labs blog. To unlock it completely, you have to register with an email address for more information. Since this does not have to be confirmed, you can use an imaginary or a disposable address. In addition to the information presented here, you will find an even more technical look at AMOS and excerpts from the code of the malware in the blog post. The article is written in English.

My tips & tricks about technology & Apple

Did you like the article and did the instructions on the blog help you? Then I would be happy if you the blog via a Steady Membership would support.

Post a comment

Your e-mail address will not be published. Required fields are marked with * marked

In the Sir Apfelot Blog you will find advice, instructions and reviews on Apple products such as the iPhone, iPad, Apple Watch, AirPods, iMac, Mac Pro, Mac Mini and Mac Studio.

Specials
Shopping
  •  
  •