Atomic macOS malware sets its sights on your keychain passwords

Emre Çitak
May 3, 2023

Threat actors have started advertising a new information-stealing malware called Atomic macOS Stealer, or AMOS, on Telegram. Priced at $1,000 per month, the malware is designed to target Apple's macOS operating system. Cyble researchers have warned that the malware can steal a range of information, including passwords, system details, files, and more.

AMOS can extract data from a variety of sources, including web browsers and cryptocurrency wallets. The malware can harvest information from Atomic, Binance, Coinomi, Electrum, and Exodus wallets, among others. The malware's customers are provided with a web panel that they can use to manage the stolen data.

The malware is being propagated using an unsigned disk image file called Setup.dmg. Once executed, the file prompts the victim to enter their system password on a bogus prompt. This allows the malware to escalate privileges and carry out its malicious activities. This technique is similar to that used by other macOS malware, such as MacStealer. It's unclear what initial intrusion vector is used to deliver the malware, but it's possible that users are deceived into downloading and executing the malicious software under the guise of legitimate software.

Atomic macOS malware macOS Stealer
Atomic macOS malware targets user's crypto wallets and Keychain passwords

The information-gathering process

Once the malware is installed, it collects system metadata, files, iCloud Keychain data, as well as information stored in web browsers and cryptocurrency wallet extensions. The data is then compressed into a ZIP archive and sent to a remote server. The ZIP file of compiled data is then sent to pre-configured Telegram channels.

The report of VirusTotal shows Atomic macOS malware as malicious.

How to protect yourself against Atomic macOS malware?

The increase in the deployment of macOS stealer malware by non-state actors highlights the need for users to be cautious when downloading and installing software. The cybersecurity industry recommends that users only download and install software from trustworthy sources, enable two-factor authentication, review app permissions, and refrain from opening suspicious links received via email or SMS messages.


Previous Post: «
Next Post: «


There are no comments on this post yet, be the first one to share your thoughts!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.