AMOS macOS Thief Targets System and Browser Data Files

Bitdefender’s cybersecurity experts have recently identified a new variant of the Atomic Stealer malware, also known as AMOS, which has been linked to Russian threat actors. This discovery reaffirms the malware’s origins and highlights the ongoing risks associated with cyber threats emanating from this region.

Overview of the New Atomic Stealer Variant

The latest iteration of Atomic Stealer showcases significant advancements in its design, making it more potent and harder to detect. This variant employs sophisticated techniques to infiltrate macOS systems, leveraging encrypted strings to evade detection mechanisms effectively.

Emerging Threat: AMOS Stealer Variant Compromises macOS Systems

Cybersecurity researchers have identified a new variant of the AMOS (Atomic) Stealer, a sophisticated malware targeting macOS users. This variant exhibits advanced capabilities to exfiltrate sensitive system and browser data files, posing a significant threat to user privacy and security.

The investigation into this new variant has confirmed the address of the Command and Control (C2) server, further solidifying the connection to its Russian origins. This critical piece of information underscores the importance of monitoring and blocking known malicious infrastructure to mitigate the impact of such threats.

Intrusive Tactics: Stealing Browser Cookies and System Information

The AMOS Stealer variant is designed to collect a wide array of data, including Safari browser cookies, system information, and files with specific extensions from designated locations. By gathering hardware-related details and operating system versions, the malware aims to acquire passwords, encryption keys, and certificates, with a particular interest in cryptocurrency platforms.

Advanced Malware Techniques: Python and Apple Script Code

This variant of AMOS Stealer combines Python with Apple Scripting to execute a large block of Apple script using the osascript -e command. The malware is capable of stealing keychain passwords, user documents, system info, cookies, browser data, credit card information, and cryptocurrency wallets. The use of Python scripts for detection evasion and data collection has been observed, highlighting the malware’s sophistication.

To protect against the Atomic Stealer malware and similar threats, users and organizations are advised to adopt robust cybersecurity measures. These include installing updates and patches promptly, using reputable antivirus solutions, and exercising caution when downloading software or opening email attachments. Awareness and education on the latest cyber threats are also crucial in enhancing overall security posture.

Distribution and Evasion: Malicious DMG Files and Obfuscation

The AMOS Stealer spreads through disk image files that are surprisingly small, which contain a FAT binary with Mach-O files for both Intel and ARM architectures. These files act as a dropper for the Python script. The malware employs obfuscation techniques, such as XOR encoding, to prevent detection of strings known to be associated with the stealer.

Security solutions have identified the new variant of Atomic Stealer using specific detection names, including Gen:Variant.Trojan.MAC.Dropper.5 and Trojan.MAC.Dropper. These classifications help in the timely identification and removal of the malware from affected systems, thereby reducing the potential damage.

Link to RustDoor Backdoor: A Convergence of Malware Families

Analysis of the AMOS Stealer’s code revealed significant similarities with the RustDoor backdoor, suggesting a convergence of tactics among different malware families. Both malware types focus on collecting sensitive files from the victim’s computer, with the AMOS Stealer being a more developed version capable of additional data theft.

The Atomic Stealer malware poses significant risks to macOS users by targeting sensitive information such as passwords, cryptocurrency wallets, and browser data. Its ability to stealthily exfiltrate this data to remote servers controlled by cybercriminals can lead to privacy breaches, financial losses, and identity theft. The malware’s focus on macOS devices highlights the growing threat landscape for Apple users, traditionally considered less vulnerable to malware attacks.

Protective Measures: Recommendations for macOS Users

Given the stealthy nature and potential damage caused by the AMOS Stealer, macOS users must stay vigilant. Apple’s built-in protections, such as XProtect and the Malware Removal Tool (MRT), offer some defense against known malware. However, users must also adopt safe browsing habits, be cautious of unsolicited software updates, and consider additional cybersecurity measures.

The discovery of the new AMOS Stealer variant underscores the ongoing malware threat to macOS users. By employing sophisticated techniques to steal a wide range of sensitive information, this malware poses a significant risk to personal and organizational security. Awareness and proactive cybersecurity practices are essential in combating this and similar threats.

The emergence of a new variant of Atomic Stealer underscores the evolving nature of cyber threats and the need for continuous vigilance in the cybersecurity community. By staying informed about the latest developments and implementing effective security measures, users can significantly reduce their vulnerability to such malicious activities. Bitdefender remains committed to detecting and analyzing new threats, providing timely updates to protect users and organizations worldwide.

Leave A Comment

Receive the latest news in your email
Table of content
Related articles