A new macOS malware, which steals information (info-stealer) and called 'Atomic' (also known as 'AMOS'), sold in cybercriminals through private channels on Telegram, for $1,000 per month.
Buyers/cybercriminals receive a DMG file containing 64-bit Go-based malware designed to attack macOS systems and attack macOS systems and steal codes Accessed at Keychain, files from the local file system, passwords, cookies and credit cards stored in browser. The Atomic malware also steals data from over 50 cryptocurrency extensions.
In addition, with the $1.000/month subscription, cybercriminals receive a ready-made web panel for easy victim management, a MetaMask brute-forcer, a cryptocurrency checker, a dmg installer and the ability to receive stolen logs on Telegram.
See also: Google Play: Minecraft games with millions of downloads hiding adware
The macOS info-stealer was recently discovered by a researcher from Trellix and researchers of the Cyble, who analysed a sample of the "Atomic" malware and reported that the author released a new version on 25 April 2023.
The distribution of Atomic macOS malware depends on the cybercriminal using it. It can be done through phishing emails, through malicious advertisements, through posts on social networks, etc.
Atomic macOS malware
Atomic info-stealer provides a full range of stealing features data, allowing further penetration of the target system.
After running the dmg malicious file, the malware displays a fake password input window in order to obtain the system code and take control of the Computer of the victim. This allows the attacker to gain access to sensitive information. However, a future update of the Atomic macOS malware may allow changing system settings or installing additional malicious payloads.
After the first breach, the malware attempts to extract the password Keychain, the built-in macOS password manager that contains passwords WiFi, website links, credit card data and other encrypted information.
See also: BlueNoroff group targets Apple devices with the new RustBucket macOS malware
Having done the above, Atomic malware proceeds to extract information from software running on the compromised macOS machine, including:
System information: Model name, hardware UUID, RAM size, number of cores, serial number and more.
Desktop cryptocurrency wallets: Electrum, Binance, Exodus, Atomic
Cryptocurrency wallet extensions: As mentioned above, over 50 extensions are affected, including Trust Wallet, Exodus Web3 Wallet, Jaxx Liberty, Coinbase, Guarda, TronLink, Trezor Password Manager, Metamask, Yoroi and BinanceChain.
Web browser data: autocomplete, passwords, cookies and credit cards from Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera and Vivaldi.
Atomic macOS malware also gives operators the ability to steal files directly from the directories "Desktop" and "Documents“.
However, the malware must request permission to access these files. So this could help victims to become aware of the malicious activity.
When it steals data, the Atomic malware will pack it all into one file ZIP and then send it to the threat agent's command and control server, which Cyble says is located at "amos-malware[.]ru/sendlog".
See also: New MacStealer malware steals data and passwords from macOS systems
According to the Trellix researcher, the IP address associated with the threat actor's command and control server and build name is also used by Raccoon Stealer, indicating a possible link between the two malicious functions.
From there, selected information and the ZIP file are also sent to the operator's private Telegram channel.
macOS is often considered more secure than other operating systems. However, Threat Actors (TA) have frequently targeted macOS platforms in recent years. In the past, there have been several cases where Threat Actors have targeted macOS users with various malware families, including MacStealer, RustBucket, DazzleSpy etc. Now Atomic has been added.
To keep your Mac device safe, you need to follow a few important steps, such as installing anti-virus software and updating your system and applications.
Source : www.bleepingcomputer.com
 και ονομάζεται 'Atomic' (επίσης γνωστό ως 'AMOS'), πωλείται σε){kind=link}