New Atomic macOS Stealer Malware On Sale to Cybercriminals

A new macOS stealer malware is being sold to cybercriminals via the messaging service Telegram for the steep price of $1000. The malware is a 64-bit Go-based program designed to target macOS systems specifically. Its main purpose is to steal sensitive information, such as keychain passwords, local file system files, passwords, cookies, and credit card data stored within browsers.

Cyble, a threat intelligence firm, has examined a sample of the AMOS malware recently uploaded to VirusTotal. The malware went completely under the radar until its discovery. As per Cyble's analysis, the malware can extract all passwords from the macOS Keychain, the built-in password manager on macOS devices that stores sensitive data such as WiFi passwords, website logins, and credit card details. The malware can also access complete system information and files from the affected computer.

As reported by SecurityWeek, the malware is purportedly capable of stealing passwords, cookies, cryptocurrency wallets, and payment card data from several browsers, including Chrome, Firefox, Brave, Edge, Vivaldi, Yandex, and Opera. The malware also targets and can steal a variety of crypto wallets, including Electrum, Binance, Exodus, Atomic, and Coinomi.

As part of the $1000 fee, cybercriminals are offered an inclusive package of malicious products, including a web panel for simplified victim management, a DMG installer, a cryptocurrency checker, and a MetaMusk brute-forcer. There’s also the ability to retrieve logs of stolen data via Telegram, along with notifications.

When the malware is executed, it displays a counterfeit password prompt to trick the user into entering the system password, granting the attacker elevated privileges on the victim's machine. The malware also allows threat actors the ability to steal files from the victim's 'Desktop' and 'Documents' directories. However, since the malware must request permission to access these files, it runs the risk of the victim identifying the malicious activity.

Another researcher from Trellix examined the AMOS malware and observed that an IP address used by the malware is connected to Raccoon Stealer, another form of malware previously associated with threat actors based in Russia and Ukraine.