Keypoints
- AMOS is a commercial macOS stealer (sold via panel access) that targets keychains, browser data, crypto wallets, Telegram logs, and files from Desktop/Documents.
- The stealer implements anti-VM checks using system_profiler and exits if VMware or Apple virtual machines are detected.
- Keychain and Chrome decryption: it prompts users for macOS passwords via osascript and extracts the Chrome pbkdf2 master key using a security find-generic-password command to recover stored credentials.
- Browser collection covers Chromium-based browsers and Firefox (AutoFill, Login Data, Cookies, Wallets, key4.db/logins.json), and a ColdWallets routine grabs offline wallet files.
- FileGrabber filters and copies files by extension from ~/Desktop and ~/Documents (limits applied, ~10 MB), plus Safari cookies and Notes DB files.
- Collected data are archived (ditto or Miniz/mz_zip_writer_add_mem) and exfiltrated via HTTP POST to C2 endpoints (previously /sendlog, new versions use /p2p to port 80) with a hardcoded UUID.
- The new AMOS variant encrypts strings with a multi-step XOR algorithm; researchers used ctypes with an IDAPython script to automate decryption of embedded strings.
MITRE Techniques
- [T1497] Virtualization/Sandbox Evasion – anti-VM checks by executing ‘system_profiler SPHardwareDataType’ and exiting if VMware or Apple Virtual Machine is detected (‘If it detects VMware or Apple Virtual Machine – the program exits.’).
- [T1082] System Information Discovery – gathers hardware, software, and display information via ‘system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType’ to enumerate the host.
- [T1555] Credentials from Password Stores – retrieves macOS keychain items and copies ‘login.keychain-db’ after prompting/authenticating the user to access stored credentials (‘login.keychain-db’).
- [T1555.003] Credentials from Web Browsers – extracts browser-stored secrets (AutoFill, Web Data, Login Data, Wallets, Passwords, Cookies, Local Extension Settings) from Chromium-based browsers and Firefox (‘GrabChromium function is responsible for grabbing data such as AutoFill, Web Data, Login Data, Wallets, Password, Local Extension Settings’).
- [T1005] Data from Local System – collects user files and cold wallets from Desktop/Documents and specific app data (Notes DB, Safari Cookies.binarycookies) using FileGrabber and ColdWallets routines (‘The FileGrabber … grabs files with the following extensions from Desktop and Documents folder’).
- [T1041] Exfiltration Over C2 Channel – archives collected logs and sends them to C2 via HTTP POST (previously to ‘/sendlog’, new versions use ‘/p2p’ on port 80) (‘The logs are then sent to the Command and Control (C2) server using a POST request to the /sendlog endpoint.’ / ‘new version uses /p2p to send POST requests.’).
Indicators of Compromise
- [File Hashes] AMOS samples – bf7512021dbdce0bd111f7ef1aa615d5, 57db36e87549de5cfdada568e0d86bff (and 1 more hash listed).
- [IP Addresses] Command-and-control servers – 185.106.93.154, 5.42.65.108.
- [File names/paths] macOS credential and storage files – login.keychain-db; /Users/run/{generated_numeric_value}/login-keychain and /Users/run/{generated_numeric_value}/password-entered.
- [Endpoints / Identifiers] Exfiltration endpoints and UUID – ‘/sendlog’ (old), ‘/p2p’ (new), hardcoded UUID 7bc8f87e-c842-47c7-8f05-10e2be357888.
- [File extensions / targets] FileGrabber targets – examples include .txt, .png, .jpg (grabbed from Desktop/Documents) and Notes DB files (NoteStore.sqlite, NoteStore.sqlite-shm, NoteStore.sqlite-wal).
Atomic Stealer (AMOS) implements a consistent collection and exfiltration workflow on macOS: it enumerates system hardware/software using system_profiler (with anti-VM checks), enumerates and copies browser and application data from ~/Library/Application Support (Chromium-based browsers, Firefox key4.db/logins.json, Safari Cookies.binarycookies), and scans Desktop/Documents for specific extensions (txt, png, jpg, wallet, keys, key) while enforcing a size cap (≈10 MB). For credential access it attempts to retrieve macOS keychain contents (login.keychain-db) and extracts Chrome’s pbkdf2 master key by running a command like “security … find-generic-password -ga ‘Chrome’ | awk ‘{print $2}’” and writing the extracted key into Local State under /Chromium/Chrome for later decryption of stored passwords.
Collection routines are modular: GrabChromium and GrabFirefox scrape browser databases and extension data (AutoFill, Web Data, Login Data, Wallets, Cookies), ColdWallets targets offline wallet files, and FileGrabber duplicates Notes DB files and Safari cookies into a staged folder (/Users/{username}/fg or /Users/run/{random}/). The stealer may prompt the user via osascript dialogs to obtain the device password (GetUserPassword flow), validate it, and then copy keychain files for offline extraction.
For packaging and exfiltration, AMOS compresses collected artifacts (older builds used ‘ditto -c -k…’ and newer builds use Miniz/mz_zip_writer_add_mem) and uploads archives to C2 via HTTP POST—historically to ‘/sendlog’, with newer variants using ‘/p2p’ on port 80 and a hardcoded UUID. Recent versions encrypt embedded strings with a custom multi-step XOR routine (byte-wise comparisons and XORs), reducing disk traces (the ZIP may not be written to disk), and researchers automated decryption using an IDAPython script leveraging ctypes to reproduce the in-memory algorithm.
Read more: https://russianpanda95.github.io/2024/01/15/Atomic-Stealer-AMOS/