Atomic macOS Stealer Comes With New Backdoor to Enable Remote Access

The Atomic macOS Stealer (AMOS) has undergone a significant evolution, transforming from a traditional information stealer into a sophisticated persistent threat capable of maintaining long-term access to compromised macOS systems.

This development marks a critical escalation in the malware’s capabilities, enabling attackers to execute remote commands and deploy additional payloads beyond its original data theft functions.

The malware’s distribution strategy combines two primary attack vectors: websites offering cracked or counterfeit software and sophisticated spear-phishing campaigns targeting high-value individuals, particularly cryptocurrency holders and freelancers including artists.

These phishing attacks often masquerade as legitimate job interview processes, deceiving victims into installing trojanized DMG files by requesting system passwords under the pretense of enabling screen-sharing software.

PolySwarm analysts identified that AMOS campaigns have already impacted over 120 countries, with the United States, France, Italy, the United Kingdom, and Canada experiencing the most significant activity.

The malware-as-a-service model suggests continuous development, with reports indicating potential keylogging features currently under development.

Persistence and Evasion Mechanisms

The backdoor’s technical implementation demonstrates sophisticated persistence tactics designed to survive system reboots and evade detection. AMOS deploys a binary named .helper as a hidden file within the victim’s home directory, accompanied by a wrapper script called .agent that ensures continuous execution.

The malware establishes persistence through a LaunchDaemon labeled com.finder.helper, installed via AppleScript using stolen user credentials for elevated privileges.

Communication with command-and-control servers occurs through HTTP POST requests transmitted every 60 seconds to receive new tasks.

To avoid detection during analysis, AMOS employs string obfuscation techniques and actively checks for sandbox or virtual machine environments using the system_profiler command, ensuring operational security during deployment and execution phases.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now