Apple Users Take Caution: Malicious Campaign Spreads Atomic Stealer macOS Malware

An modified version of the macOS stealer virus known as Atomic Stealer, or AMOS, has been seen being distributed through a fresh malvertising campaign, suggesting that its creator is still actively working on it.

Atomic Stealer, a pre-made Golang virus that costs $1,000 a month, was first discovered in April 2023. Not too long afterward, additional versions that targeted gamers and cryptocurrency users were discovered in the wild with an extended collection of information-gathering tools.

Malicious advertisements that link to websites holding malicious installers are displayed to people who seek for popular software on search engines, whether it is legitimate or cracked. This is known as the main distribution channel for malware via Google Ads.

The most recent attempt makes use of a phony TradingView website that has three links clearly marked for downloading the program for Linux, macOS, and Windows.

The MSIX installer hosted on Discord that drops the NetSupport RAT is the source of both the Windows and Linux buttons, according to Malwarebytes director of threat intelligence Jérôme Segura.

Released at the end of June, the macOS payload (“TradingView.dmg”) is a new version of Atomic Stealer packaged as an ad-hoc signed software that, when run, asks users to enter their password on a fictitious prompt and harvests files in addition to data saved in web browsers and iCloud Keychain.

SentinelOne earlier reported in May 2023 that “Atomic stealer also targets both Chrome and Firefox browsers and has an extensive hardcoded list of crypto-related browser extensions to attack.” Coinomi wallets have also been attacked by some variations.

The attacker’s ultimate objective is to get past macOS’s Gatekeeper security measures and transfer the stolen data to a server they own.

The development coincides with the growing likelihood that macOS will be the target of malware assaults; in recent months, a number of info stealers tailored specifically for the operating system have surfaced for sale on crimeware forums, hoping to profit from the widespread use of Apple computers in businesses.

Mac malware is real, but it’s typically less discovered than its Windows equivalent, according to Segura. “The ability of AMOS’s toolkit to elude detection was actually a selling point made by the tool’s developer or seller.”

There is evidence that DarkGate, also known as MehCrypter, has adopted the same distribution technique as Atomic Stealer, indicating that it is not the only malware spread through malvertising and search engine optimization (SEO) poisoning efforts.

(Score: 13) - 4.8/5