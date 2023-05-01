Some bad guys have advertised on Telegram a new information theft malware for the Apple macOS operating system called Atomic macOS Stealer (or AMOS) for $1,000 a month by joining MacStealer.

Atomic macOS Stealer, what we know

“Atomic macOS Stealer Information Theft can steal various types of information from victim’s machine including Keychain passwords, complete system information, files from desktop and document folder, and even macOS password“, they have said Cyble researchers in a technical report.

Other features include its ability to mine web browsers and cryptocurrency wallets such as Atomic, Binance, Coinomi, Electrum, and Exodus. The bad actors who buy the information theft from their developers also receive a ready-to-use web panel to manage the victims.

The malware takes the form of an unsigned disk image file (Setup.dmg) which, when executed, prompts the victim to enter their system password upon a fake request to elevate privileges and carry on their malicious activities, a technique also adopted by MacStealer.

The initial infection vector used to distribute the malware is currently unclear, although it is likely that users will be tricked in some way (bogus but appearing credible emails, sites that appear trustworthy, etc.) into downloading and running it below the false identity of legitimate software.

The element that steals information from cryptocurrency wallets (and not only) Atomic, sent to VirusTotal as of April 24, 2023, it also bears the name “Notion-7.0.6.dmg”, suggesting that it is being propagated as the popular note-taking app. Other samples discovered by the MalwareHunterTeam were distributed as “Photoshop CC 2023.dmg” And “Tor Browser.dmg“.

“Malware like Atomic macOS Stealer could be installed by exploiting vulnerabilities or hosted on phishing sites“, Cyble disclosed.

Atomic then proceeds to collect system metadata, files, the iCloud Keychain, as well as information stored in web browsers (e.g., passwords, autofills, cookies, credit card information) and encrypted wallet extensions, all compressed into a ZIP archive and sent to a remote server; the compiled information ZIP file is therefore sent to pre-configured Telegram channels.

How to defend yourself against malware like Atomic macOS Stealer and or threats of this type?

This story is yet another sign that macOS is increasingly becoming a lucrative target for hacking groups from around the world to distribute information-stealing malware, making it imperative that users only download and install software from trusted sources, activate the factor authentication, review app permissions, and avoid opening suspicious links received via email or SMS messages.

Remember that programs like Malwarebytes are also available for macOS.

When a myth falls, in this case the “impenetrable” Mac

Over the years many users have proposed the Mac as an alternative to Windows because it is “safer”, yet as in the case of operating systems based on the Linux kernel the attacks are more and more frequent.

It is very curious to note that some, not trusting Windows, “clog up” their computer with antivirus, dubious programs that promise performance increases and other crap; unfortunately these same people when they switch to macOS, convinced they are safe “eh, I have a mac anyway”, only to accidentally download threats like these anyway.

Remember that the operating system can be more or less secure, but the first antivirus is you.