Pen testing
C2
ATOMIC Stealer (also known as Atomic macOS Stealer - AMOS) is a malware for macOS. It steals sensitive information: keychain passwords, system info, files from desktop and documents folders, and even the macOS password. It also targets multiple browsers to steal autofill data, passwords, cookies, wallets, and credit card info. It can also compromise cryptocurrency wallets: Electrum, Binance, Exodus, Atomic and Coinomi. It’s being sold on Telegram forums and the developers are continuously updating it to evade detection and improve.
ATOMIC Stealer is a threat to macOS users, designed to infect Apple’s OS and extract personal and financial data. This is a growing trend of cybercriminals targeting macOS which was once thought to be less vulnerable to malware. The malware is being sold as a service with additional tools like web panel to manage victims, MetaMask brute-forcing to steal seed phrases and private keys and DMG installer for a subscription fee.
Distribution
ATOMIC Stealer is distributed through social engineering, fake browser update prompts and malicious ads. Users may encounter these prompts while browsing and download the malware thinking it’s a legitimate software update. Once installed ATOMIC Stealer will start working, accessing and sending sensitive information to a remote server controlled by the attackers.
Evasion
The malware uses advanced techniques to evade macOS built-in security features. It uses stolen code from Apple’s XProtect antivirus system to stay undetected for a long time. Such evasion techniques make it hard even for experienced IT professionals to detect its presence so the damage can be done before detection and removal.
There are no known variants of ATOMIC Stealer but the malware is being updated to support new macOS versions and to improve evasion. These updates are part of the service offered to subscribers so the malware will be effective against the latest security patches from Apple.
Deploy macOS-specific endpoint security solutions to detect and prevent malware infections.
Educate users about phishing and malicious ads to reduce the chances of accidental malware installation.
Check for data exfiltration in network traffic.
Update macOS and apps.
ATOMIC Stealer targets macOS users in technology, design and cryptocurrency sectors. Users in these sectors are more at risk as they handle valuable data and are a lucrative target for cybercriminals to make money through data theft and exploitation.
The malware is associated with small scale cybercriminal groups that target macOS environment. These actors are drawn to the growing market share of macOS and the financial gains from stealing sensitive information especially from cryptocurrency wallets. The anonymity provided by platforms like Telegram makes it easy to distribute and sell such malware.
