Cyble researchers document updated Atomic Stealer (AMOS) versions spread via phishing sites posing as Mac apps, with new cookie-revival capabilities that target Google Chrome. The findings highlight a widening trend of InfoStealers adopting cookie revival and related data-exfiltration features, including rapid adoption by Xehook Stealer and a publicly available code for reviving dead cookies. #AtomicStealer #AMOS #XehookStealer #ChromeCookies #DeadCookies #CookieRevival
Keypoints
- AMOS is distributed through fake Mac app sites (e.g., Parallels Desktop, CleanMyMac, Arc Browser, Pixelmator) that masquerade as legitimate software.
- AMOS shows continuous evolution with frequent updates and new features, including reviving expired Google Chrome cookies.
- A free cybercrime-forum code now enables reviving dead cookies, expanding potential use by low-profile threat actors.
- On Jan 20, 2024, Xehook Stealer appeared and, within days, the actor integrated the cookie-revival feature, signaling a growing trend among InfoStealers.
- The C2 server 5.42.65.108:80 is used across AMOS payloads, suggesting a potential shared campaign or threat actor linkage.
- Attack chain includes phishing distribution, DMG execution on macOS, system/browser data theft (including keychain and web data), a file grabber, and C2 exfiltration.
MITRE Techniques
- [T1566.002] Spearphishing Link – Malware spreads via phishing websites. Quote: “Malware spreads via phishing websites.”
- [T1204.002] User Execution – Manual execution by the user. Quote: “Manual execution by the user.”
- [T1555.001] Keychain – The stealer tries to extract the password from Keychain. Quote: “Keychain password extraction”
- [T1555.003] Credentials from Web Browsers – Malware tries to steal sensitive data from browsers. Quote: “Credentials from Web Browsers”
- [T1083] File and Directory Discovery – File grabber, search sensitive files from system. Quote: “File grabber, search sensitive files from system.”
- [T1041] Exfiltration Over C2 Channel – The stealer sends stolen data to the server. Quote: “Exfiltration Over C2 Channel”
- [T1071] Application Layer Protocol – Malware communicates with the C&C server. Quote: “Application Layer Protocol”
Indicators of Compromise
- [File Hash] ArcBrowser.dmg – MD5: ac1a958ea6449450fbfa5cb9a6bb197a, SHA1: 0505a3b7683aaff50b9f4214e259b519bc27bc6c, SHA256: f81f1dfc07e5b84cd158ed24ec60ac43a2d2427835d4d1a21b8f8622b7b706a6
- [File Hash] CleanMyMac-Apps.dmg – MD5: 2bcf087a676ec992ef9652a87b4dbce1, SHA1: a2db69f7015a25bc5776d1db9235c38b8246ecda, SHA256: 3805cb7589da01a978e899fd4a051adec083c8543343ce637e448716cbbbcef1
- [File Hash] Install-Parallels-Desktop.dmg – MD5: d4e2a4bace502bfc1b7449fee9c9ba28, SHA1: 34c66a2bb9e791dec6156f8bc7a41bf592cf47fd, SHA256: 401c113bc24701e80468047974c19c3b7936e4d34a6625ce996c12d1639de3ba
- [File Hash] Pixelmator-pro.dmg – MD5: e54ed20eee6bd88883adb71856e49595, SHA1: 27b6afc6f57850644f3ceffcb06406f5d699592e, SHA256: 705b899bcf83311187021a29369e5344bf4477579a3e7485055d1fe8e0efcbb3
- [IP/Port] C2 Server – 5.42.65.108:80
- [URL] Malicious sites – paralleldesktop.pro, cleanmymac.pro, arcbrowser.pro, pixelmator.pics
Read more