A new information stealer has arrived on the dark web. Known as the Atomic Stealer (AMOS), this information stealer, this information-stealing malware is designed for a phishing campaign associated with the rise of dead cookie restoration and Xehook Stealer.
Cyble Research and Intelligence Labs (CRIL) recently found a campaign where an updated version of AMOS Stealer was deployed through deceptive websites masquerading as legitimate Mac applications.
Despite being distributed through Google Ads in the past, the newer version of the Atomic Stealer is being published through websites like Parallels Desktop, CleanMyMac, Arc Browser, and Pixelmator.
The Complex World of Atomic Stealer: Recent Updates and Capabilities
The continuous evolution of AMOS, marked by frequent updates, highlights the developer’s commitment to refining its functionalities for malicious purposes. The malware has expanded its reach across multiple browsers, enabling it to extract auto-fills, passwords, cookies, and financial details from various wallets. Moreover, AMOS goes beyond data theft, offering additional services such as a web panel, MetaMask brute-forcing, crypto checking, and a DMG installer.
According to CRIL, a big development in the AMOS saga is its newfound capability to revive expired Google Chrome cookies. This marks a transformative trend in the information stealer market, providing threat actors with a powerful tool for prolonged unauthorized access.
The release of a free code on a cybercrime forum for restoring expired cookies has raised concerns among researchers, as it opens the door for low-profile threat actors to incorporate this method into their malware payloads.
Xehook Stealer: The Quick Adaptable Information Stealer
On January 20, 2024, Xehook Stealer surfaced on a cybercrime forum, demonstrating a quick integration of the cookie revival feature within 2-3 days. This rapid adaptation by Xehook Stealer highlights a growing trend among InfoStealers, as threat actors leverage the revived cookies method to enhance their malicious capabilities.
The analysis also uncovered a potential connection in campaigns or Threat Actors (TAs) as all AMOS stealer payloads share a common Command and Control center (C&C), identified as “5.42.65.108.” This C&C server had been previously documented in a report on Atomic Stealer by Malwarebytes, suggesting a correlation among these malware payloads.
To gain deeper insights, CRIL conducted a comprehensive technical analysis of AMOS, focusing on its initial infection, system information gathering, and browser data extraction. AMOS was found spreading through deceptive sites such as parallelsdesktop.pro, cleanmymac.pro, arcbrowser.pro, and pixelmator.pics.
Technical Details of the Information Stealers
The stealer employs a novel encryption method to conceal strings within the file, dynamically decrypting and retrieving actual strings at runtime. Furthermore, it utilizes the system_profiler tool to gather extensive information about the victim’s Mac computer, including software, hardware, and display details.
AMOS targets a variety of Chromium-based browsers, including Safari, Chrome, Brave, Edge, Opera, OperaGX, and Vivaldi. The malware extracts sensitive data from specific directories, such as Cookies, Network/Cookies, Login Data, and Web Data. Additionally, it retrieves Mozilla Firefox data, including information from files like cookies.sqlite, formhistory.sqlite, key4.db, and logins.json.
The stealer initiates the extraction of information related to crypto wallets, targeting wallets such as Electrum, Binance, Exodus, Atomic, and Coinomi. Additionally, it fetches the password linked to the label ‘Chrome’ from the macOS keychain, specifically targeting the Google Chrome application.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.