Atomic Stealer (AMOS) received a December 2023 update introducing payload encryption to evade detection and expanded distribution through malvertising and compromised sites targeting Mac users. The campaign included Google search ads impersonating Slack, redirecting to a decoy site to download the malware, with updated obfuscation and data-exfiltration capabilities such as passwords, wallets, and cookies. #AtomicStealer #FakeBat #Malvertising #Slack
Keypoints
- Atomic Stealer was updated around mid to late December 2023 with a new encryption routine to hide strings and bypass detection.
- Samples appeared on VirusTotal around that time, followed by a malvertising campaign observed in January 2024.
- The campaign used Google search ads impersonating Slack to lure victims to a decoy site offering Windows and Mac malware downloads.
- Two distribution channels were used: cracked software updates and malicious ads, suggesting different access levels for Atomic Stealer updates.
- A malvertising campaign on January 8 reused tactics seen with FakeBat, delivering updated Atomic Stealer to Mac users.
- Atomic Stealer now focuses on stealing passwords, crypto wallets, and cookies, with a push to exfiltrate data via a C2 server.
- Defensive guidance includes using Malwarebytes Browser Guard and macOS Antivirus to prevent or detect Atomic Stealer activity.
MITRE Techniques
- [T1189] Drive-by Compromise – The actors lured victims via a Google search ad impersonating Slack and redirected them to a decoy website where the app can be downloaded for both Windows and Mac. “The threat actors are luring victims via a Google search ad impersonating Slack, the popular communication tool, and redirecting them to a decoy website where the app can be downloaded for both Windows and Mac:”
- [T1027] Obfuscated/Encrypted Files and Information – The sample is obfuscated and uses a new encryption routine to hide strings of interest. “Obfuscated sample (Dec 17), using a new encryption routine that hides strings of interest:”
- [T1555.003] Credentials from Web Browsers – The stealer targets passwords, crypto wallets, and cookies, indicating credential access from browser/storage data. “Stealing victim passwords, crypto wallets and cookies” and related discussion of password prompts in the DMG.
- [T1041] Exfiltration Over C2 Channel – Data exfiltration occurs via a C2 server observed in sandbox analysis. “When we analyzed this sample in a sandbox we saw the data exfiltration taking place and the corresponding C2 server:”
Indicators of Compromise
- [Domain] Malvertising chain – ivchlo[.]gotrackier[.]com, red[.]seecho[.]net
- [Domain] Decoy site for Slack impersonation – slack[.]trialap[.]com
- [URL] FakeBat payload URL – slack[.]trialap[.]com/app/Slack-x86.msix, slack[.]trialap[.]com/app/Slack-Apps.dmg
- [Hash] FakeBat hash – 49f12d913ad19d4608c1596cf24e7b6fff14975418f09e2c1ad37f231943fda3
- [Domain] C2 domain – ads-strong[.]online
- [Hash] Atomic Stealer hash – 18bc97e3f68864845c719754d2d667bb03f754f6e87428e33f9c763a8e6a704a
- [IP] C2 – 5.42.65[.]108