A new malware to steal information from macOS devices called "Atomic" (also known as "AMOS") is currently being actively distributed through private Telegram channels for a $1,000 per month subscription.
For this money, buyers receive a “Setup.dmg” file containing 64-bit Go-based malware designed to steal iCloud Keychain passwords, files from the local file system, other passwords, cookies, and bank card data stored in browsers.
The malware also supports over 50 different cryptocurrency management browser extensions, which have recently become a popular target for cybercriminals.
Cybercriminals who pay for a malware subscription also receive a ready-made web panel for convenient victim management, the ability to upload stolen data to Telegram, and much more.
The Atomic malware was discovered just recently by one of Trellix's researchers, as well as by Cyble's research team. The latest version of the malware dates back to April 25 of this year, which makes it clear that Atomic is an actively developing project.
Infostealer buyers are free to set up their own distribution channels, including, for example, phishing emails, malicious ads, social media posts, instant messaging, black hat SEO, malicious torrents, etc.
Atomic Stealer has an extensive set of data theft features, providing its operators with advanced capabilities to penetrate deeper into the target system.
When executing a malicious "Setup.dmg" file, the malware displays a fake macOS system password request window that looks like a real one. This is how the attackers get the password they need, which allows the malware to elevate its privileges on the compromised computer.
After an initial compromise, the malware attempts to extract the password for iCloud Keychain, the built-in macOS password manager that contains Wi-Fi passwords, website logins, bank card details, and other encrypted information.
Atomic then proceeds to extract the following information:
- Desktop cryptocurrency wallets: Electrum, Binance, Exodus, Atomic.
- Crypto Wallet Browser Extensions: Over 50 extensions are supported in total, including popular ones such as Trust Wallet, Exodus Web3 Wallet, Jaxx Liberty, Coinbase, Guarda, TronLink, Trezor Password Manager, Metamask, Yoroi, and BinanceChain.
- Web browser data: autofill, passwords, cookies and bank cards from Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera and Vivaldi.
- System information: device model name, hardware UUID, RAM size, processor specifications, serial number, and others.
Atomic also gives its operators the ability to steal files directly from the Desktop and Documents directories. However, the malware first requests permission to access these files, which gives victims the opportunity to notice the malicious activity and take action to eliminate it.
After stealing user data, the malware packs all the information into a ZIP archive and then sends it to the attackers' C2 server, which Cyble says is located at "amos-malware.ru/sendlog". All the stolen information is then sent from the infostealer creators' C2 server to the operator's closed Telegram channel.
The Trellix security researcher noted that of particular interest is the fact that the IP address associated with the Atomic C2 server, as well as its assembly name, are also used by the Raccoon Stealer malware, potentially linking the two malicious campaigns.
Although macOS is still a side target for hackers, as it occupies only about 15% of the desktop operating system market (whereas Windows is about 75%), researchers are increasingly recording attacks on apple devices.