Threat Research

Atomic macOS Stealer: A Major Threat to Sensitive Data on macOS

Sophos

AMOS is a macOS infostealer designed to steal sensitive data such as cookies, passwords, autofill data, and cryptocurrency wallet contents from infected Macs. It spreads via malvertising and SEO poisoning, imitating legitimate apps and even hosting binaries on GitHub and Telegram, with prices rising from $1,000 to $3,000 per month. #AtomicMacOSStealer #Cyble

Keypoints

  • Infostealers now account for over 50% of macOS malware detections, with AMOS being one of the most common families observed.
  • AMOS is designed to steal cookies, passwords, autofill data, and cryptocurrency wallet contents from infected machines.
  • The price of AMOS has increased from $1,000 per month to about $3,000 per month within a year, signaling strong demand and perceived value.
  • AMOS is distributed via malvertising and SEO poisoning, imitating legitimate applications to lure users into downloading it.
  • Threat actors have hosted AMOS binaries on platforms like GitHub and conducted malvertising campaigns on social media (e.g., X), including lookalike domains such as macpaw.us.
  • Recent AMOS variants employ obfuscation and Python droppers to evade detection and shift key data to Python-based components.
  • There are unconfirmed claims of an iOS-targeting version of AMOS; DMA-related changes to Apple’s app distribution may influence future threats.

MITRE Techniques

  • [T1003] Credential Dumping – Brief description of how it was used. Quote relevant content using bracket (‘Stealing sensitive data such as passwords and cookies from browsers and applications.’)
  • [T1213] Data from Information Repositories – Brief description of how it was used. Quote relevant content using bracket (‘Exfiltrating sensitive information from compromised systems.’)
  • [T1203] Malicious Link – Brief description of how it was used. Quote relevant content using bracket (‘Using malvertising and SEO poisoning to distribute malware through deceptive links.’)
  • [T1027] Obfuscated Files or Information – Brief description of how it was used. Quote relevant content using bracket (‘Using obfuscation techniques in malware to evade detection.’)
  • [T1071] Command and Control – Brief description of how it was used. Quote relevant content using bracket (‘Using credential-protected C2 panels to manage campaigns and stolen data.’)

Indicators of Compromise

  • [Domain] macpaw.us – malvertising domain used in campaigns imitating legitimate software
  • [Domain] github.com – AMOS binaries hosted on a GitHub repository
  • [URL] https://github.com/sophoslabs/IoCs/blob/master/Atomic-infostealer-IOCs.csv – public IOC repository containing Atomic infostealer indicators
  • [URL] https://urlscan.io/result/027802ea-5e90-4040-a862-f96c495c9696/ – snapshot of a malicious campaign page used in AMOS distribution
  • [URL] https://urlscan.io/result/30067698-3dd0-456e-beb5-74304edfd3c4/#summary – additional AMOS-related URL analysis

Read more: https://news.sophos.com/en-us/2024/09/06/atomic-macos-stealer-leads-sensitive-data-theft-on-macos/