Keypoints
- Researchers isolated a new AMOS (Atomic) Stealer variant that uses Mach-O droppers inside DMG installers to deploy a Python stealer.
- The Mach-O binaries store an XOR-obfuscated Python script in their __const section, which they decode and drop to /var/tmp/olx before execution.
- The Python stealer prompts the user with a fake system-update dialog to capture the local account password and writes it to a file named psw.
- The script executes AppleScript via osascript to collect targeted files (including Cookies.binarycookies) and harvests browser profiles, extension data, and crypto wallet directories.
- It gathers system and hardware details via system_profiler (likely to detect sandboxes/VMs), adds keychain and Binance app-store.json to the collection, zips data in memory, and sends it with a POST to the /p2p endpoint on a hardcoded C2.
- Many samples are currently undetected; Bitdefender detections include Gen:Variant.Trojan.MAC.Dropper for the droppers and Generic.MAC.Stealer.G for the Python scripts.
MITRE Techniques
- [T1204] User Execution – Attacker lures users to right-click and open the unsigned “Crack Installer” app from a DMG to bypass Gatekeeper (‘user is requested to right click, and then open the Crack Installer application’)
- [T1059.005] AppleScript – The Python stealer invokes AppleScript via osascript to collect files and data (‘filegrabber() function executes a large block of Apple script using the osascript -e command’)
- [T1027] Obfuscated Files or Information – The Python payload is XOR-encoded inside the Mach-O __const section and decoded at runtime (‘The XOR-ed content of the script is initially stored inside the __const section of the binary’)
- [T1082] System Information Discovery – The script runs system_profiler (SPSoftwareDataType, SPHardwareDataType, SPDisplaysDataType) to collect OS/hardware/display info (‘gathers information about the compromised computer using the system_profiler utility … written to a file named user’)
- [T1497] Virtualization/Sandbox Evasion – Collected system profile information is used potentially to detect virtual environments or sandboxes (‘one potential purpose of collecting these details might be to detect virtual environments or executions within sandboxes’)
- [T1555.003] Credentials from Password Stores: Keychain – Attackers collect the user’s login keychain file ~/Library/Keychains/login.keychain-db (‘add to the archive of collected files the ~/Library/Keychains/login.keychain-db file’)
- [T1539] Steal Web Session Cookie – The malware collects browser cookie stores, including Safari’s Cookies.binarycookies (‘collects the Cookies.binarycookies file that stores the cookies of the Safari browser’)
- [T1560] Archive Collected Data – All gathered files are added to an in-memory ZIP archive to minimize local traces (‘Everything that the script has gathered from the target computer is added to a ZIP archive stored in memory’)
- [T1041] Exfiltration Over C2 Channel – The archive is sent via HTTP POST to a hardcoded C2 /p2p endpoint (C2 IP is hardcoded) (‘sent to the C2 address … using a POST request to the /p2p endpoint’)
Indicators of Compromise
- [File hashes – DMG files] DMG samples – 0caf5b5cc825e724c912ea2a32eceb59, f0dc72530fa06b278b7da797e5fcb3a1, and 11 other hashes
- [File hashes – Mach-O droppers] Dropper binaries – 6aab14b38bbb6b07bd9e5b29a6514b62, af23cd92ab15ebcc02b91664a0adc6fb, and 10 other hashes
- [File hashes – Python scripts] Dropped Python stealer scripts – 6e375185480ee26c2f31c04c36a8a0e8, c8ac97b9df5a2dc51be6a65e6d7bce6b, and 2 other hashes
- [IP / C2] C2 address – 5.42.65.114 (previously linked to an Amadey-associated C2)
- [File paths / filenames] Dropped path and key artifacts – /var/tmp/olx, ~/Library/Keychains/login.keychain-db (also targets Cookies.binarycookies and ~/Library/Application Support/Binance/app-store.json)
- [Social engineering artifact] Installer label used to bypass Gatekeeper – “Crack Installer” application inside the DMG
The attack begins with small DMG files containing FAT Mach-O binaries for Intel and ARM that serve as droppers. When the user opens the DMG and uses the instructed right-click “Open” on the included “Crack Installer” app (a common Gatekeeper bypass), the Mach-O decodes an XOR-obfuscated Python script embedded in its __const section and writes it to /var/tmp/olx, then executes it.
The Python stealer first prompts the user with a fake system-update dialog to harvest the local account password (saving it to a file named psw). It then uses osascript to run extensive AppleScript routines that enumerate browser profiles (Chromium-based browsers and Firefox), collect Web Data/Login Data/Cookies (including Safari’s Cookies.binarycookies), gather files from crypto wallet directories, and add targeted files like ~/Library/Keychains/login.keychain-db and ~/Library/Application Support/Binance/app-store.json to the collection. The script also invokes system_profiler with SPSoftwareDataType, SPHardwareDataType and SPDisplaysDataType to collect system/hardware/display information—likely to detect sandboxes or virtualized environments.
Collected items are compiled into an in-memory ZIP archive to reduce disk artifacts and then exfiltrated via an HTTP POST to a hardcoded C2 /p2p endpoint (noted C2 IP: 5.42.65.114). Detection names reported by Bitdefender for components include Gen:Variant.Trojan.MAC.Dropper for Mach-O droppers and Generic.MAC.Stealer.G for the Python scripts.