Warning: Mac Users Face a New Threat with the Rise of Atomic Stealer macOS Malware
The macOS ecosystem, once considered a haven against malware and cyber-attacks, is increasingly becoming a target for cybercriminals. A recent malvertising campaign has exposed the persistent nature of a macOS malware called Atomic Stealer, also known as AMOS. This off-the-shelf Golang-based software, available for an astonishing $1,000 per month, has been menacing Mac users, primarily those involved in gaming and cryptocurrency transactions.
The Emergence of Atomic Stealer macOS Malware
First discovered in April 2023, Atomic Stealer macOS Malware has undergone several mutations, broadening its scope and refining its information-gathering features. This article aims to delve into the anatomy of this malware, the innovative distribution mechanisms, and the broader implications of this new cyber threat.
How is Atomic Stealer Distributed?
This malware mainly exploits malvertising via Google Ads as its primary distribution channel. Users searching for legitimate or cracked versions of popular software might encounter deceptive ads that lead them to rogue websites hosting malicious installers. These websites often look like trustworthy platforms. A recent example involves a fraudulent TradingView website that featured download buttons for Windows, macOS, and Linux operating systems. Learn more about malvertising
Anatomy of the Malware
Jérôme Segura, the Director of Threat Intelligence at Malwarebytes, revealed that the macOS payload bundled in a file called “TradingView.dmg,” is a revamped version of the Atomic Stealer. The malware is camouflaged in an ad-hoc signed app, deceiving users into entering their passwords via a counterfeit prompt. Once activated, the malware goes on to harvest files and data stored in iCloud Keychain and various web browsers.
Targeted Data
The Atomic Stealer macOS Malware is particularly vicious in its pursuit of specific data. It is designed to go after both Chrome and Firefox browsers and has an extensive hardcoded list of crypto-related browser extensions that it targets. Companies like SentinelOne have already flagged this behavior back in May 2023, noting that some variants have also aimed at Coinomi wallets.
Bypassing Gatekeeper
The malware's ultimate aim is to evade Gatekeeper, the macOS built-in security feature, and transfer the accumulated data to a server under the attackers' control. This is a wake-up call for Mac users, who might have previously felt a false sense of security due to macOS's robust built-in protective features.
Rise in macOS Targeting
The increasing vulnerability of macOS systems is evident from the number of macOS-specific info-stealers that have emerged in recent months, targeting the Apple ecosystem. Forums on the dark web are abuzz with sales pitches for malware specially engineered to exploit macOS, indicating a trend that users and cybersecurity experts alike should not ignore.
DarkGate and Other Threats
It's worth mentioning that Atomic Stealer is not an isolated case. DarkGate (also known as MehCrypter) employs similar tactics, including malvertising and SEO poisoning, for distribution. Recent evidence shows that these malwares are being used by various threat actors employing different infection channels, including social engineering campaigns on platforms like Microsoft Teams.
Expert Opinion
“While Mac malware exists, it's generally less detected than its Windows counterpart,” says Segura. The developer of AMOS (Atomic Stealer macOS Malware) claims that their toolkit can evade detection, making it even more of a threat to macOS users. Read about macOS security
Conclusion
The rise of Atomic Stealer macOS Malware is a dire signal that the days of considering macOS as a bulletproof platform against malware are long gone. Users must be extra cautious and should keep their systems updated to fend off these increasing threats.
Relevant External Links:
FAQs
What is Atomic Stealer macOS Malware?
Atomic Stealer is a type of malware targeting macOS systems. It has been recently updated and is actively being maintained by its authors to steal information.
How is this malware distributed?
The malware primarily uses malvertising via Google Ads as its distribution method. Users searching for popular or cracked software are shown fake ads that lead them to websites hosting rogue installers.
Who is the malware targeting?
The malware specifically targets gamers and cryptocurrency users. It is designed to steal information from these groups.
What are the new features in the 2023 variant of Atomic Stealer?
The 2023 variant has an expanded set of information-gathering features and can bypass macOS Gatekeeper protections. It also targets a range of crypto-related browser extensions.
Are other operating systems also at risk?
The recent campaign featured fraudulent websites with download buttons for Windows and Linux, but the focus of this article is on the risks associated with macOS.
What should I do to protect my macOS system from Atomic Stealer?
Update your macOS system and security software regularly. Be cautious when clicking on ads, especially when searching for software online. Always download software from trusted sources.
How does Atomic Stealer get past macOS security features?
It uses a variety of tactics including fake prompts asking for passwords and ad-hoc signed apps to evade detection and steal data stored in iCloud Keychain and web browsers.
Is this malware linked to any other known threats?
While the focus is on Atomic Stealer, the article mentions that similar tactics are used by other malware like DarkGate.
Why is macOS increasingly becoming a target for malware attacks?
The wide availability of Apple systems in organizations and less frequent detection compared to Windows makes macOS a viable target for cybercriminals.
Kevin Bong was formerly the Director of Corporate Security for Johnson Financial Group, and currently works as an Information Assurance Consultant for SynerComm, Inc. Kevin has a BS in Physics and Computer Science from Carroll University, an MS in Information Security Engineering from the SANS Institute, and has earned multiple certifications including PMP and GIAC GSE. Kevin is also an amateur astronomer, beekeeper, an author and instructor, and a pretty neat dad. Prior to Impulsec, Kevin worked a Penetration Testing “Drop Box” project similar to the Pwnie Express called the MiniPwner.