Cybersecurity experts have discovered that a threat actor is selling a new information-stealing malware called Atomic macOS Stealer (AMOS) on the popular messaging app Telegram.
The malware is specifically designed to target macOS platforms and can steal sensitive information from the victim’s machine, including keychain passwords, system information, and even the macOS password.
The threat actor behind the Atomic macOS Stealer is continuously improving the malware and adding new features to make it more effective, found researchers at the Cyble Research and Intelligence Labs (CRIL).
In a recent update highlighted on Telegram on April 25, the threat actor showcased the latest capabilities of the malware.
Atomic macOS Stealer, now available on Telegram!
The information-stealing malware Atomic macOS Stealer being sold by a Threat Actor on Telegram is concerning, but not surprising, CRIL researchers told The Cyber Express.
The popularity of macOS has increased in recent years due to its user-friendly interface, which is often praised for its simplicity and ease of use.
What baffled the security vendors is the emergence of an undetected Golang-based stealer.
“The Atomic macOS Stealer can steal various types of information from the victim’s machine, including keychain passwords, complete system information, files from the desktop and documents folder, and even the macOS password,” said the CRIL threat assessment report.
“The stealer is designed to target multiple browsers and can extract auto-fills, passwords, cookies, wallets, and credit card information. Specifically, AMOS can target cryptowallets such as Electrum, Binance, Exodus, Atomic, and Coinomi.”
Despite being perceived as more secure than other operating systems, Threat Actors have continued to target macOS platforms with various families of malware, including MacStealer, RustBucket, and DazzleSpy.
“The Atomic macOS Stealer’s primary function encompasses all of its capabilities, including keychain extraction, crypto wallet theft, stealing browser details, grabbing user files, collecting system information, and sending all the stolen data to the remote C&C server,” said the report.
More worrying is the crypto wallet capabilities of the malware.
“The Atomic macOS stealer can also extract information from crypto wallet browser extensions. These extensions are integrated into the stealer binary via hard coding, with over 50 extensions being targeted thus far,” the CRIL report said.
Atomic macOS Stealer and constantly evolving threat actor
The TA behind Atomic macOS Stealer is constantly improving the malware and adding new capabilities to increase its effectiveness, as demonstrated in a recent update highlighted on Telegram on April 25.
The Atomic macOS Stealer can steal various types of information from the victim’s machine, including keychain passwords, complete system information, files from the desktop and documents folder, and even the macOS password.
It can also target multiple browsers and extract auto-fills, passwords, cookies, wallets, and credit card information, including specific cryptowallets such as Electrum, Binance, Exodus, Atomic, and Coinomi.
In addition to the malware, the TA offers additional services, such as a web panel for managing victims, meta mask brute-forcing for stealing seed and private keys, crypto checker, and dmg installer, for $1000 per month.
One of the most concerning aspects of the Atomic macOS Stealer is its ability to target multiple browsers and extract auto-fills, passwords, cookies, wallets, and credit card information, including specific cryptowallets such as Electrum, Binance, Exodus, Atomic, and Coinomi.
The threat actor is also offering additional services, such as a web panel for managing victims, meta mask brute-forcing for stealing seed and private keys, crypto checker, and dmg installer, for $1000 per month.
The increasing popularity of macOS platforms has made them an attractive target for threat actors, despite being perceived as more secure than other operating systems. In recent years, several families of malware, including MacStealer, RustBucket, and DazzleSpy, have targeted macOS users.