Atomic macOS Stealer Upgraded with Remote Access Backdoor

The Atomic macOS Stealer (AMOS), a notorious infostealer malware targeting Apple’s macOS ecosystem, has undergone a significant upgrade by incorporating a sophisticated backdoor mechanism that facilitates persistent access and remote command execution on infected systems.

This enhancement, detailed in a recent report by Moonlock Lab, a cybersecurity arm of MacPaw, transforms AMOS from a mere data exfiltration tool into a full-fledged remote access trojan (RAT).

Previously focused on harvesting sensitive information such as cryptocurrency wallet credentials, browser autofill data, and keychain passwords, AMOS now ensures attackers can maintain long-term control, surviving system reboots and enabling the deployment of additional payloads.

This evolution aligns AMOS with advanced persistent threat (APT) tactics, reminiscent of North Korean campaigns that blend stealers with backdoors for rapid exfiltration and surveillance.

Evolution into a Persistent Threat

However, AMOS’s Russia-affiliated developers appear to prioritize sustained persistence, potentially for keylogging, network lateral movement, and ongoing espionage.

Distributed as a malware-as-a-service (MaaS) offering, AMOS has already compromised systems across more than 120 countries, with heightened activity in the United States, United Kingdom, France, Italy, and Canada.

Analysts at PolySwarm classify it as an evolving threat, underscoring the need for robust endpoint detection and response (EDR) solutions to counter its growing sophistication.

At its core, the AMOS backdoor leverages macOS-specific features for stealth and persistence.

Upon infection, the malware deploys a hidden binary named .helper in the user’s home directory, accompanied by a wrapper script called .agent that orchestrates its continuous execution.

Technical Implementation

To achieve boot-time persistence, AMOS installs a LaunchDaemon plist file labeled com.finder.helper via AppleScript, which executes with elevated privileges obtained through stolen user credentials.

This setup allows the backdoor to poll command-and-control (C2) servers via HTTP POST requests every 60 seconds, fetching tasks for remote command execution, file manipulation, or further malware deployment.

Evasion techniques are integral: AMOS employs string obfuscation to hinder static analysis and uses the system_profiler command to detect sandboxed or virtual machine environments, aborting operations if such conditions are identified to avoid detection during reverse engineering.

Distribution primarily occurs through two vectors: spear-phishing campaigns and websites hosting cracked or counterfeit software, often targeting cryptocurrency enthusiasts and freelancers like digital artists.

According to the report, Phishing lures mimic legitimate job interviews, prompting victims to install trojanized DMG files that request system passwords under the guise of enabling screen-sharing tools.

Once executed, AMOS not only exfiltrates data like seed phrases and passwords but also embeds the backdoor for prolonged access.

This shift from one-off theft to persistent compromise amplifies risks, enabling attackers to conduct surveillance, deploy ransomware, or pivot to enterprise networks.

As AMOS continues to iterate with rumors of impending keylogging capabilities, macOS users must adopt proactive defenses, including behavior-based monitoring, regular software updates, and caution with unsolicited downloads.

The malware’s global reach and technical refinements position it as a critical threat, demanding heightened vigilance in an ecosystem often perceived as inherently secure.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!