Cyble analysts have noticed that attackers are advertising a new Atomic macOS Stealer (AMOS) infostealer, which is specifically designed for macOS. The malware is distributed via Telegram and has a subscription cost of $1,000 per month. Buyers receive a DMG file (Setup.dmg) containing a malware written in Go that is designed to steal passwords from the Keychain, files from the local file system, passwords, cookies, and bank card data stored in browsers. It also attempts to steal data from more than 50 cryptocurrency extensions and wallets, including Binance, Coinomi, Electrum, and Exodus.
Subscribers have access to a web panel for convenient data management of victims, a MetaMask brute-forcer, the DMG installer, and the ability to receive stolen information directly through Telegram. At the time of the release of the researchers’ report, the malicious DMG file was not detected by security products on VirusTotal.
Distribution of Atomic is left to its “customers”, which means it can be spread through phishing emails, malicious ads, social media posts, SMS, black hat SEO techniques, torrents, and more. When the malicious DMG file is executed, the malware displays a fake window for entering the system password, allowing its operators to gain elevated privileges on the victim’s system and proceed to collect data.
Trellix security experts, who also studied this malware, noticed that the IP address associated with the Atomic C&C server and the assembly name intersect with Raccoon Stealer, suggesting that the same attackers may be behind these threats.
