Recently, the cybersecurity researchers at Cyble discovered a new macOS malware, ‘Atomic’ (aka ‘AMOS’), sold for $1,000/month on private Telegram channels.
Buyers pay a high price to receive a DMG file containing a 64-bit Go-based malware, which is specifically programmed to target macOS systems and steal the following data:
- Keychain passwords
- Files from the local filesystem
- Passwords
- Cookies
- Credit cards stored in browsers
- Complete system information
The malware is disguised as an unsigned disk image file named Setup.dmg.
Upon execution, it prompts the victim to enter their system password on a fake prompt to gain escalated privileges and execute illicit activities.
Here below, we have mentioned the other samples that were detected:-
- Photoshop CC 2023.dmg
- Tor Browser.dmg
Besides capturing the system password, the malware extracts sensitive data from the victim’s machine by exploiting the main_keychain() function, which targets the password management tool.
The Atomic macOS stealer compresses the stolen data into ZIP and then encodes it before exfiltration using Base64 format. The stealer transmits the stolen data to the following C&C server URL via communication:-
- hxxp[:]//amos-malware[.]ru/sendlog
Leave A Comment