A fresh malvertising campaign has come to light, disseminating an updated variant of macOS stealer malware known as Atomic Stealer (AMOS). This discovery suggests active maintenance by its author.
Atomic Stealer macOS Malware
Atomic Stealer, an off-the-shelf Golang malware priced at $1,000 per month, initially surfaced in April 2023. Shortly thereafter, new iterations with enhanced information-gathering capabilities emerged in the wild, with a focus on gamers and cryptocurrency enthusiasts.
Malvertising through Google Ads has emerged as the leading distribution method, with users seeking popular software, whether legitimate or cracked, on search engines encountering deceptive ads that redirect them to websites hosting unauthorized installers.
The latest campaign involves the use of a fraudulent website for TradingView, prominently featuring three buttons to download the software for Windows, macOS, and Linux operating systems.
The macOS payload, labeled “TradingView.dmg,” is a recent iteration of Atomic Stealer introduced at the end of June.
It is concealed within an ad-hoc signed application that, when activated, tricks users into entering their password through a fake prompt, subsequently collecting files and data from iCloud Keychain and web browsers.
“Atomic Stealer, as reported by SentinelOne in May 2023, not only targets Chrome and Firefox browsers but also maintains an extensive hardcoded list of crypto-related browser extensions for exploitation. Additionally, certain variants have been observed targeting Coinomi wallets.”
The attacker’s primary objective is to circumvent macOS Gatekeeper protections and transmit the pilfered data to a server they control.
This development coincides with macOS becoming an increasingly attractive target for malware attacks. In recent months, numerous macOS-specific information stealers have surfaced in crimeware forums, exploiting the prevalence of Apple systems in various organizations.
“While Mac malware is a reality, it often goes undetected compared to Windows malware,” noted Segura, adding that the AMOS developer emphasized its toolkit’s ability to evade detection.
Atomic Stealer is not the sole malware distributed through malvertising and SEO poisoning campaigns; there’s evidence of DarkGate (also known as MehCrypter) leveraging the same delivery method.
Indicators of Compromise
xn--tradgsvews-0ubd3y[.]com
trabingviews[.]com
app-downloads[.]org/tview.php
6b0bde56810f7c0295d57c41ffa746544a5370cedbe514e874cf2cd04582f4b0
ce3c57e6c025911a916a61a716ff32f2699f3e3a84eb0ebbe892a5d4b8fb9c7a
185.106.93[.]154
Leave A Comment