Jump to content
  • New Atomic macOS info-stealing malware targets 50 crypto wallets

    alf9872000

    • 529 views
    • 4 minutes
     Share


    • 529 views
    • 4 minutes

    A new macOS information-stealing malware named 'Atomic' (aka 'AMOS') is being sold to cybercriminals via private Telegram channels for a subscription of $1,000 per month.

     

    For this hefty price, buyers get a DMG file containing a 64-bit Go-based malware designed to target macOS systems and steal keychain passwords, files from the local filesystem, passwords, cookies, and credit cards stored in browsers.

     

    The malware also attempts to steal data from over 50 cryptocurrency extensions, which have become a popular target for information-stealing malware.

     

    For the price, cybercriminals also get a ready-to-use web panel for easy victim management, a MetaMask brute-forcer, a cryptocurrency checker, a dmg installer, and the ability to receive stolen logs on Telegram.

     

    panel.png

    Atomic's web panel (Cyble)

     

    The malware was recently spotted by a Trellix researcher and researchers at Cyble labs, who analyzed a sample of 'Atomic' and reported that the author released a new version on April 25, 2023, so this is an actively developed project.

     

    telegram.png

    Latest version of the malware promoted on Telegram (Cyble)

     

    At the time of writing, the malicious dmg file goes largely undetected on VirusTotal, where only one out of 59 AV engines flag it as malicious.

     

    As for its distribution, buyers are responsible for setting up their own channels, which may include phishing emails, malvertizing, social media posts, instant messages, black SEO, laced torrents, and more.

    Atomic features

    The Atomic Stealer boasts a comprehensive array of data-theft features, providing its operators with enhanced opportunities for penetrating deeper into the target system.

     

    Upon executing the malicious dmg file, the malware displays a fake password prompt to obtain the system password, allowing the attacker to gain elevated privileges on the victim's machine.

     

    system-pass.png

    Stealing the system password (Cyble)

     

    This is a requirement for accessing sensitive information, but a future update might also leverage it for changing system settings or installing additional payloads.

     

    After this first compromise, the malware attempts to extract the Keychain password, macOS' built-in password manager that holds WiFi passwords, website logins, credit card data, and other encrypted information.

     

    keychain.png

    Extracting the Keychain password (Cyble)

     

    Having done the above, Atomic proceeds to extract information from software that runs on the breached macOS machine, including the following:

     

    • Desktop cryptocurrency wallets: Electrum, Binance, Exodus, Atomic
    • Cryptocurrency wallet extensions: 50 extensions are targeted in total, including Trust Wallet, Exodus Web3 Wallet, Jaxx Liberty, Coinbase, Guarda, TronLink, Trezor Password Manager, Metamask, Yoroi, and BinanceChain.
    • Web browser data: auto-fills, passwords, cookies, and credit cards from Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera, and Vivaldi.
    • System information: Model name, hardware UUID, RAM size, core count, serial number, and others.

     

    Atomic also gives operators the capability to steal files directly from the victim's 'Desktop' and 'Documents' directories.

     

    However, the malware must request permission to access these files, which creates an opportunity for victims to realize the malicious activity.

     

    permission.png

    Atomic requests permission to access files (Cyble)

     

    When stealing data, the malware will pack it all into a ZIP file and then send it to the threat actor's command and control server, which Cyble says is located at "amos-malware[.]ru/sendlog."

     

    Of particular interest, the Trellix security researcher noted that the IP address associated with the Atmos command and control server and its build name are also used by the Raccoon Stealer, potentially linking the two operations.

     

    exfil.png

    Exfiltrating the stolen data (Cyble)

     

    From there, selected information and the ZIP archive are also sent to the operator's private Telegram channel.

     

    Although macOS isn't at the epicenter of malicious info-stealer activity, like Windows, it is increasingly being targeted by threat actors of all skill levels.

     

    A North Korean APT group recently deployed a novel macOS info-stealer in the 3CX supply chain attack, illustrating that Macs are now a target for even state-sponsored hacking groups.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...