Atomic Stealer is a macOS infostealer sold via Telegram with multiple variants (A, B, C) and a web panel for campaign management. The article details how each variant operates, what data it targets (keychains, crypto wallets, browser data), and provides indicators to aid threat hunters and defenders of macOS endpoints. #AtomicStealer #AmosAtomic #Telegram #macOS #Keychain #ChromePasswords #Binance #Exodus
Keypoints
- Atomic Stealer is offered via a Telegram channel with a web-based panel for managing campaigns at $1,000 per month.
- Variant A is built on a Go binary (51.5MB) distributed in Appify-based bundles and relies on a one-shot execution rather than persistence.
- Variant B is a raw Go binary focused on Firefox and Chromium wallets, uses /usr/bin/security to extract Chrome passwords, and targets crypto wallets like Coinomi.
- Variant C reduces size, adds an anti-analysis check for virtualization, and changes its C2 URL; it removes some earlier functionality.
- Distribution includes fake installers (Tor Browser, cracked software) and malvertising; a DMG-based “Game Installer” variant exists (ALMV_launcher).
- Mitigation and indicators: SentinelOne protects, with Detect Only mode available, and a detailed IoC list provided for defenders.
MITRE Techniques
- [T1036] Masquerading – The actor masquerades samples as legitimate installers such as the Tor Browser or cracked software like Photoshop CC. Quote: “masquerading as installers for legitimate applications like the Tor Browser or pretending to offer users cracked versions of popular software including Photoshop CC”
- [T1102] Web Service – Campaigns are managed via a rented web panel. Quote: “rent access to a web panel and provide a disk-image based installer for $1000/month.”
- [T1059.005] AppleScript – Execution uses AppleScript dialogs to capture the user’s password. Quote: “The dialog box is generated using osascript and passing the hidden answer parameter to the display dialog command.”
- [T1497] Virtualization/Sandbox Evasion – Variant C checks system_profiler output for “vmware” and exits if found. Quote: “queries the built-in system_profiler tool’s output for SPHardwareDataType, converts the output to lowercase, then searches it for the substring ‘vmware’.”
- [T1555.001] Credentials in Keychain – The malware steals the keychain contents. Quote: “The malware contains logic to steal the user’s keychain and crypto wallet contents, including those for Atomic, Binance, Electrum and Exodus.”
- [T1555.003] Credentials from Web Browsers – Chrome passwords are retrieved via the macOS security utility. Quote: “Both variant A and B utilize the /usr/bin/security utility to find Chrome passwords.”
Indicators of Compromise
- [Domain] amos-malware.ru/sendlog – communications endpoint used for sendlog
- [IP] 37.220.87.16:5000/sendlog – IP-based log endpoint
- [IP] 94.142.138.177/sendlog – additional log/communication endpoint
- [SHA-1] 078dd6122694cbc6e637a11fec77d6cab94bac3b – October 2023 update hash
- [SHA-1] 07fb38e48529490da73dcb9a0812bd3bb3337189 – October 2023 update hash
- [File] ALMV_launcher.dmg – disk image name used in Variant B distribution
- [File] Game Installer – DMG mounted as “Game Installer” containing a binary of the same name