Atomic macOS malware sets its sights on your keychain passwords
Threat actors have started advertising a new information-stealing malware called Atomic macOS Stealer, or AMOS, on Telegram. Priced at $1,000 per month, the malware is designed to target Apple's macOS operating system. Cyble researchers have warned that the malware can steal a range of information, including passwords, system details, files, and more.
AMOS can extract data from a variety of sources, including web browsers and cryptocurrency wallets. The malware can harvest information from Atomic, Binance, Coinomi, Electrum, and Exodus wallets, among others. The malware's customers are provided with a web panel that they can use to manage the stolen data.
The malware is being propagated using an unsigned disk image file called Setup.dmg. Once executed, the file prompts the victim to enter their system password on a bogus prompt. This allows the malware to escalate privileges and carry out its malicious activities. This technique is similar to that used by other macOS malware, such as MacStealer. It's unclear what initial intrusion vector is used to deliver the malware, but it's possible that users are deceived into downloading and executing the malicious software under the guise of legitimate software.
The information-gathering process
Once the malware is installed, it collects system metadata, files, iCloud Keychain data, as well as information stored in web browsers and cryptocurrency wallet extensions. The data is then compressed into a ZIP archive and sent to a remote server. The ZIP file of compiled data is then sent to pre-configured Telegram channels.
The report of VirusTotal shows Atomic macOS malware as malicious.
How to protect yourself against Atomic macOS malware?
The increase in the deployment of macOS stealer malware by non-state actors highlights the need for users to be cautious when downloading and installing software. The cybersecurity industry recommends that users only download and install software from trustworthy sources, enable two-factor authentication, review app permissions, and refrain from opening suspicious links received via email or SMS messages.Advertisement