Threat Research

Mac users targeted in new malvertising campaign delivering Atomic Stealer

Securonix

A new malvertising campaign targets Mac users with an OSX version of Atomic Stealer (AMOS), delivered through deceptive ads and a phishing page. The payload is an ad-hoc signed DMG that bypasses GateKeeper and exfiltrates stolen data to a criminal back end. #AtomicStealer #AMOS #TradingView

Keypoints

  • The campaign targets Mac users with a macOS version of Atomic Stealer (AMOS) delivered via malvertising and phishing.
  • Threat actors use Google Ads to lure victims to a phishing site that mimics legitimate pages (e.g., TradingView).
  • The Windows/Linux route points to an MSIX installer hosted on Discord that drops NetSupport RAT, while the Mac payload is a DMG hosted on app-downloads.org.
  • The Mac DMG is signed with an ad-hoc certificate to evade Apple revocation, and prompts for user credentials to run the tool.
  • AMOS can harvest data from browsers and Apple’s Keychain, with exfiltration back to the attackers’ server.
  • Indicators of Compromise include specific domains, a DMG hash, a malware hash, and a C2 IP address.

MITRE Techniques

  • [T1189] Drive-by Compromise – Malvertising and compromised ad accounts lure victims to a phishing page; “Threat actors are buying ads matching well-known brands and tricking victims into visiting their site as if it were the official page.”
  • [T1566.001] Phishing: Spearphishing Link – The decoy site “looks quite authentic and shows three download buttons” and leads to payloads.
  • [T1105] Ingress Tool Transfer – The Windows/Linux MSIX installer is hosted on Discord and drops NetSupport RAT; “https://cdn[.]discordapp[.]com/attachments/1062068770551631992/1146489462025629766/TradingView-x64[.]msix”
  • [T1116] Code Signing – The malware is “bundled in an ad-hoc signed app meaning it’s not an Apple certificate, so it cannot be revoked.”
  • [T1555] Credentials from Password Stores – AMOS capabilities include “harvesting passwords from browsers and Apple’s keychain.”
  • [T1041] Exfiltration Over C2 Channel – The attacker’s goal is to exfiltrate stolen data “back to their own server.”

Indicators of Compromise

  • [Domain] Ad/phishing domains – xn--tradgsvews-0ubd3y[.]com, trabingviews[.]com
  • [URL] AMOS delivery endpoints – app-downloads[.]org/tview.php, https://cdn[.]discordapp[.]com/attachments/1062068770551631992/1146489462025629766/TradingView-x64[.]msix
  • [File hash] AMOS DMG – 6b0bde56810f7c0295d57c41ffa746544a5370cedbe514e874cf2cd04582f4b0
  • [File hash] AMOS malware – ce3c57e6c025911a916a61a716ff32f2699f3e3a84eb0ebbe892a5d4b8fb9c7a
  • [IP] AMOS C2 – 185.106.93[.]154
  • [File name] AMOS payload – TradingView.dmg

Read more: https://www.malwarebytes.com/blog/threat-intelligence/2023/09/atomic-macos-stealer-delivered-via-malvertising

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint