New macOS Atomic Malware Steals Keychain and Crypto Wallet Passwords
The threat actor advertises a new information stealer for the Apple macOS operating system called Atomic macOS Thief (or AMOS) on Telegram for $1,000 per month, joining the likes of MacStealer.
“The Atomic macOS Stealer can steal various types of information from victim machines, including Keychain passwords, full system information, files from desktop and document folders, and even macOS passwords,” Cyble researchers said in technical reports.
Among its other features include the ability to extract data from web browsers and cryptocurrency wallets such as Atomic, Binance, Coinomi, Electrum, and Exodus. Threat perpetrators who buy thieves from their developers are also provided with ready-made web panels to manage victims.
The malware takes the form of an unsigned disk image file (Setup.dmg) which, when executed, prompts the victim to enter their system password in a bogus request to escalate privileges and carry out its malicious activity — a technique also adopted by MacStealer .
The initial intrusion vector used to deliver the malware was not immediately clear, although it is possible that users were manipulated into downloading and running it under the guise of legitimate software.
atomic Stealing Artifact, sent to VirusTotal on April 24, 2023, also bears the name “Notion-7.0.6.dmg”, indicating that it is deployed as a popular note-taking application. Other samples excavated by MalwareHunterTeam distributed as “Photoshop CC 2023.dmg” And “Tor Browser. dmg.”
“Malware such as Atomic macOS Stealer can be installed by exploiting vulnerabilities or hosting on phishing websites,” said Cyble.
Learn How to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
Atomic then proceeds to harvest system metadata, files, iCloud Keychain, as well as information stored in web browsers (e.g., passwords, autofill, cookies, credit card data) and crypto wallet extensions, all of which is compressed into a ZIP archive and sent to remote server. The ZIP file of the compiled information is then sent to the pre-configured Telegram channel.
The development is another sign that macOS is increasingly becoming a lucrative target outside of country hacking groups to spread thieving malware, so it’s critical that users only download and install software from trusted sources, enable two-factor authentication, review app permissions, and exercise restraint. . from opening suspicious links received in email or SMS messages.