A new macOS malware called Atomic macOS Stealer (AMOS) was discovered by the Cyble Research and Intelligence Labs (CRIL) on a Telegram channel. This macOS malware AMOS can access browser data, and steal passwords, crypto wallet data, system information, and browser extension data according to reports.
CRIL researchers found dealers selling and endorsing the macOS malware AMOS which is yet another effort by threat actors to impact the guarded walls of macOS. Other malware including MacStaeler, RustBucket, and DazzleSpy were also found in the dark web marketplace. However, the macOS malware AMOS was still a work in progress upgraded to add more features.
Features of the macOS malware AMOS
In a Telegram post dated April 25, researchers found newer capabilities were added to the AMOS malware against macOS. It was sold for $1000 a month.
The malware was built with a web panel so hackers can manage the victims’ data, meta mask brute-forcing capabilities for seed and private key theft, a crypto checker, and a dmg installer.
Malicious activities of the macOS malware AMOS
Upon analyzing the sample hash (SHA256) of Setup.dmg as 15f39e53a2b4fa01f2c39ad29c7fe4c2fef6f24eff6fa46b8e77add58e7ac709, it was found that it was FUD or fully undetectable on VirusTotal. This adds to the evasive nature of the macOS malware.
Instances of active device exploitation have not yet been reported using the macOS malware AMOS. Users are prompted to enter their password as shown below after they execute the file –
The macOS malware not only harvests system passwords but also hacks into password management tools. It does so using the main_keychain() function as the keychain is the password management system that stores credentials and other sensitive data on macOS devices.
The macOS malware AMOS steals credit card data and uses the main_GrabWallets() function to read directories and steal crypto wallet data. It can access crypto wallets including Atomic, Binance, Electrum, and Exodus.
The malware targets the Ruby Wallet, Coin98 Wallet, Math Wallet, Station Wallet, Wombat – Gaming wallet for Ethereum and EOS, CWallet, Hycon Lite Client, Phantom, and XDCPay among tons of other wallets.
AMOS malware targeting macOS can also steal browser data from Mozilla Firefox, Google Chrome, Opera, Vivaldi, and Microsoft Edge. Autofill data, cookies, credit card information, and passwords can be accessed by the malware.
Besides browsers and crypto wallets, the macOS malware AMOS can tread over directories including Desktop and Documents by using the function main_FileGrabber() as shown in the image below:
All the stolen system and user data can be compressed into a ZIP file and encoded using Base64 before exfiltrating the same. The exfiltrated data can be sent to the command and control server of the cybercriminal via the URL – hxxp[:]//amos-malware[.]ru/sendlog
The data can also get sent to the selected Telegram channel as shown below:
Among the indicators of compromise, the domain amos-malware[.]ru was found by security researchers. It is suggested that users enable biometric authentication and be watchful of downloads and applications to be downloaded on the device to prevent downloading the macOS malware AMOS.