Threat Research

Cyble – Threat Actor Selling New Atomic MacOS (AMOS) Stealer On Telegram

Securonix

Cyble researchers reveal a Golang-based macOS stealer named Atomic macOS Stealer (AMOS) advertised on Telegram, designed to exfiltrate a wide range of victim data. The malware collects keychain passwords, system information, Desktop/Documents files, macOS passwords, browser data, and cryptocurrency wallet details, then transmits the data to a C2 server and Telegram channels. #AMOS #AtomicMacOSStealer #Telegram #macOS #Cyble #CRIL

Keypoints

  • AMOS is promoted via a Telegram channel as a flexible information stealer targeting macOS, with ongoing updates to add capabilities.
  • Distribution uses a .dmg package that contains a 64-bit Golang binary, with a sample hash noted as Setup.dmg (FUD on VirusTotal at analysis time).
  • The stealer targets keychain data, system information, desktop/documents files, and macOS passwords, plus credentials from multiple browsers and crypto wallets.
  • Crypto wallet data extraction includes Electrum, Binance, Exodus, Atomic, Coinomi, and a large set of browser extensions (50+ extensions) for wallet data.
  • Additional services include a web panel, MetaMask seed/private key brute-forcing, a crypto checker, and a DMG installer; logs are shared via Telegram for $1,000 per month.
  • Data exfiltration is performed by compressing to ZIP and encoding with Base64, then sending to a C2 URL (amos-malware.ru) and Telegram channels.

MITRE Techniques

  • [T1204.002] User Execution: Malicious File – ‘Once a user executes the file, it displays a fake password prompt to obtain the system password.’
  • [T1110] Brute Force – ‘meta mask brute-forcing for stealing seed and private keys.’
  • [T1555.001] Keychain – ‘main_keychain() function to extract sensitive information.’
  • [T1555.003] Credentials from Web Browsers – ‘target multiple browsers and can extract auto-fills, passwords, cookies, wallets, and credit card information.’
  • [T1083] File and Directory Discovery – ‘stealer now steals the victim’s files from directories such as Desktop and Documents using the main_FileGrabber() function.’
  • [T1132.001] Data Encoding: Standard Encoding – ‘compressing into ZIP and encoding it using Base64 format for exfiltration.’
  • [T1041] Exfiltration Over C2 Channel – ‘sends the stolen information to the remote C&C server.’

Indicators of Compromise

  • [File hashes] – File hashes for Setup.dmg: 15f39e53a2b4fa01f2c39ad29c7fe4c2fef6f24eff6fa46b8e77add58e7ac709, with 5e0226adbe5d85852a6d0b1ce90b2308, and 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a (and 2 more hashes).
  • [Domain] – amos-malware.ru (C&C domain)
  • [URL] – hxxp[:]//amos-malware[.]ru/sendlog (C&C URL)
  • [File name] – Setup.dmg; My Go Application.app (the macOS executable inside the DMG)

Read more: https://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint