cyble.com
Open in
urlscan Pro
2606:4700:20::ac43:4bbf
Public Scan
URL:
https://cyble.com/blog/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/
Submission: On September 11 via api from TR — Scanned from DE
Submission: On September 11 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
GET https://cyble.com/
<form role="search" method="get" class="search-form" action="https://cyble.com/" data-cb-wrapper="true">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search …" value="" name="s" tabindex="-1">
</label>
<input type="submit" class="search-submit" value="Search">
</form><form id="jp-carousel-comment-form" data-cb-wrapper="true">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Skip to content
The Q2-2023 Ransomware Report is Now Available. Download Now
The Q2-2023 Ransomware Report is Now Available. Download Now
Report an Incident | Get Support
* Home
* ProductsMenu Toggle
* For Enterprises(B2B) and GovernmentsMenu Toggle
* Cyble Vision
Secure your business from emerging threats and limit opportunities for
your adversaries.
* Cyble Hawk
Protects ultra sensitive data and assets.
* For Enterprises(B2B) and Individuals(B2C)Menu Toggle
* AmIBreached
Enables consumers and organizations to Identify, Prioritize and Mitigate
darkweb risks.
* Cyble Odin
Meet The All-Father of Internet Scanning
* The Cyber Express
#1 Trending Cyber Security News and Magazine
* We’ve just released an update!
Check out the all new dashboard view on Cyble Vision.
* SolutionsMenu Toggle
* Function WiseMenu Toggle
* Attack Surface Management
* Brand Intelligence
* Cyber Threat Intelligence
* Dark Web & Deep Web
* Vulnerability Management
* Takedown and Disruption
* Industry WiseMenu Toggle
* Financial Services
* Retail and CPG
* Healthcare & Pharmaceuticals
* Technology Industry
* Educational Platform
* Role WiseMenu Toggle
* Information Security
* Corporate Security
* Marketing
* ResourcesMenu Toggle
* Blog
* Case Studies
* Research Reports
* Whitepapers
* SAMA Compliance
* Press
* Careers
* PartnersMenu Toggle
* Partner Network
* Partner Login
* Become a Partner
* About Us
Talk to Sales
Schedule a Demo
Schedule a Demo
CYBLE IS NOW A SERIES B COMPANY. LEARN MORE
Main Menu
* Home
* ProductsMenu Toggle
* For Enterprises(B2B) and GovernmentsMenu Toggle
* Cyble Vision
Secure your business from emerging threats and limit opportunities for
your adversaries.
* Cyble Hawk
Protects ultra sensitive data and assets.
* For Enterprises(B2B) and Individuals(B2C)Menu Toggle
* AmIBreached
Enables consumers and organizations to Identify, Prioritize and Mitigate
darkweb risks.
* Cyble Odin
Meet The All-Father of Internet Scanning
* The Cyber Express
#1 Trending Cyber Security News and Magazine
* We’ve just released an update!
Check out the all new dashboard view on Cyble Vision.
* SolutionsMenu Toggle
* Function WiseMenu Toggle
* Attack Surface Management
* Brand Intelligence
* Cyber Threat Intelligence
* Dark Web & Deep Web
* Vulnerability Management
* Takedown and Disruption
* Industry WiseMenu Toggle
* Financial Services
* Retail and CPG
* Healthcare & Pharmaceuticals
* Technology Industry
* Educational Platform
* Role WiseMenu Toggle
* Information Security
* Corporate Security
* Marketing
* ResourcesMenu Toggle
* Blog
* Case Studies
* Research Reports
* Whitepapers
* SAMA Compliance
* Press
* Careers
* PartnersMenu Toggle
* Partner Network
* Partner Login
* Become a Partner
* About Us
THREAT ACTOR SELLING NEW ATOMIC MACOS (AMOS) STEALER ON TELEGRAM
April 26, 2023
UNDETECTED GOLANG-BASED STEALER EMERGES AND BAFFLES SECURITY VENDORS
In recent years, macOS has become increasingly popular among users, largely due
to its user-friendly interface, which is often commended for its simplicity and
ease of use.
macOS is also often perceived as being more secure than other operating systems.
Despite this, Threat Actors (TAs) have continued to target macOS platforms.
Previously, there have been several cases where Threat Actors have targeted
macOS users with various families of malware, including MacStealer, RustBucket,
DazzleSpy, etc.
Technical Content! Subscribe to Unlock
Sign up and get access to Cyble Research and Intelligence Labs' exclusive
contents
Email
Unlock this Content
Cyble Research and Intelligence Labs (CRIL) recently discovered a Telegram
channel advertising a new information-stealing malware called Atomic macOS
Stealer (AMOS). The malware is specifically designed to target macOS and can
steal sensitive information from the victim’s machine.
The TA behind this stealer is constantly improving this malware and adding new
capabilities to make it more effective. The most recent update to the malware
was highlighted in the Telegram post on April 25th, showcasing its latest
features.
The Atomic macOS Stealer can steal various types of information from the
victim’s machine, including keychain passwords, complete system information,
files from the desktop and documents folder, and even the macOS password. The
stealer is designed to target multiple browsers and can extract auto-fills,
passwords, cookies, wallets, and credit card information. Specifically, AMOS can
target cryptowallets such as Electrum, Binance, Exodus, Atomic, and Coinomi.
The TA also provides additional services such as a web panel for managing
victims, meta mask brute-forcing for stealing seed and private keys, crypto
checker, and dmg installer, after which it shares the logs via Telegram. These
services are offered at a price of $1000 per month.
Figure 1 – Telegram Post by Malware Developer
TECHNICAL ANALYSIS
For our analysis, we have taken the sample hash (SHA256) of “Setup.dmg” as
15f39e53a2b4fa01f2c39ad29c7fe4c2fef6f24eff6fa46b8e77add58e7ac709, which is FUD
(stands for “Fully Undetectable”) on Virustotal at the time of writing this
analysis.
The TAs use a ‘.dmg’ file to disseminate this malware, including a Mac OS X
executable, located at “/Setup.app/Contents/macOS/My Go Application.app” and is
a 64-bit Golang executable file.
Figure 2 – Strings related to Go Source Files of Stealer
The Atomic macOS Stealer’s primary function encompasses all of its capabilities,
including keychain extraction, crypto wallet theft, stealing browser details,
grabbing user files, collecting system information, and sending all the stolen
data to the remote C&C server.
The main functions of the stealer are depicted in the figure below.
Figure 3 – Stealer’s main function
Once a user executes the file, it displays a fake password prompt to obtain the
system password, as shown in the figure below.
Figure 4 – Fake password prompt
KEYCHAIN PASSWORD EXTRACTION
In addition to obtaining the system password, the malware also targets the
password management tool by utilizing the main_keychain() function to extract
sensitive information from the victim’s machine. Keychain is a macOS password
management system that enables users to safely store sensitive data such as
website logins, Wi-Fi passwords, credit card details, and more.
The code snippet depicted in the figure below exhibits the main_keychain()
function, implemented to gather the user’s credentials.
Figure 5 – Keychain password extraction
STEALING CRYPTO WALLETS
After that, the stealer begins to extract information related to crypto-wallets
by querying and reading files from specific directories using the function
main_GrabWallets(). The stealer targets crypto wallets such as Electrum,
Binance, Exodus, and Atomic, as shown below.
Figure 6 – Targeted Crypto-wallets
CRYPTO WALLET EXTENSION
The Atomic macOS stealer can also extract information from crypto wallet browser
extensions. These extensions are integrated into the stealer binary via hard
coding, with over 50 extensions being targeted thus far.
The table below highlights some crypto wallets with respective browser extension
IDs targeted by the malware.
acmacodkjbdgmoleebolmdjonilkdbchRabby
WalletaeachknmefphepccionboohckonoeemgCoin98
WalletafbcbjpbpfadlkmhmclhkeeodmamcflcMath
WalletaholpfdialjgjfhomihkjbmgjidlcdnoExodus Web3
WalletaiifbnbfobpmeekipheeijimdpnlpgppStation
WalletamkmjjmmflddogmhpjloimipbofnfjihWombat – Gaming Wallet for Ethereum &
EOSapnehcjmnengpnmccpaibjmhhoadaicoCWalletbcopgchhojmggmffilplmbdicgaihlkpHycon
Lite
ClientbfnaelmomeimhlpmgjnjophhpkkoljpaPhantombocpokimicclpaiekenaeelehdjllofoXDCPaycgeeodpfagjceefieflmdfphplkenlfkEVER
WalletcihmoadaighcejopammfbmddcmdekcjeLeafWalletcjelfplplebdjjenllpjcblmjkfcffneJaxx
LibertycjmkndjhnagcfbpiemnkdpomccnjblmjFinniecmndjbecilbocjfkibfbifhngkdmjgogSwashcnmamaachppnkjgnildpdmkaakejnhaeAurocopjnifcecdedocejpaapepagaodgpbhFreaks
AxiecphhlgmgameodnhkjdmkpanlelnlohaoNeoLinedhgnlgphgchebgoemcjekedjjbifijidCrypto
Airdrops &
BountiesdkdedlpgdmmkkfjabffeganieamfklkmCyanodmkamcknogkgcdfhhbddcghachkejeapKeplrefbglgofoippbgcjepnhiblaibcnclgkMartian
Wallet for Sui & AptosegjidjbpglichdcondbcbdnbeeppgdphTrust
WalletffnbelfdoeiohenkjibnmadjiehjhajbYoroifhbohimaelbohpjbbldcngcnapndodjpBinanceChainfhilaheimglignddkjgofkcbgekhenbhOxygenflpiciilemghbmfalicajoolhkkenfelICONexfnjhmkhhmkbjkkabndcnnogagogbneecRoninfnnegphlobjdpkhecapkijjdkgcjhkibHarmony
WallethcflpincpppdclinealmandijcmnkbgnKHChmeobnfnfcmdkdcmlblgagmfpfboieafXDEFIhnfanknocfeofbddgcijnmhnfnkdnaadCoinbasehnhobjmcibchnmglfbldbfabcgaknlkjFlint
WallethpglfhgfnhbgpjdenjgmdgoeiappaflnGuardaibnejdfjmmkpcnlpebklmnkoeoihofecTronLinkimloifkgjagghnncjkhggdhalmcnfklkTrezor
Password
ManagerjojhfeoedkpkglbfimdfabpdfjaoolafPolymeshklnaejjgbibmhlephnhpmaofohgkpgkdZilPaykncchdigobghenbbaddojjnnaogfppfjiWalletkpfopkelmapcoipemfendmdcghnegimnLiqualitylodccjjbdhfakaekdiahmedfbieldgikDAppPlaymfhbebgoclkghebffdldpobeajmbecfkStarcoinmnfifefkajgofkcjkemidiaecocnkjehTezBoxnhnkbkgjikgcigadomkphalanndcapjkCLWnkbihfbeogaeaoehlefnkodbefgpgknnMetamasknknhiehlklippafakaeklbeglecifhadNaboxnlbmnnijcnlegkjjpcfjclmcfggfefdmMewCxnlgbhdfgdhgbiamfdfmbikcdghidoaddByonenphplpgoakhhjchkkhmiggakijnkhfndTonookjlbkiijinhpmnjffcofjonbfbgaocTemplepdadjkfkgcafgbceimcpbkalnfnepbnkKardiaChainpnndplcbkakcplkjnolgbkdgjikjednmTron
Wallet & Explorer –
TroniumpocmplpaccanhmnllbbkpgfliimjljgoSlopeppdadbejkmjnefldpcdjhnkpbjkikoipOasis
EXTRACTING BROWSER INFORMATION
After collecting wallet details, the malware queries the installed browsers’
directories on the victim’s device and searches for particular browser-related
files to extract confidential data, such as:
* Autofills
* Passwords
* Cookies
* Credit Cards
As depicted below, the malware can steal files from various browsers, including
Mozilla Firefox, Google Chrome, Microsoft Edge, Yandex, Opera, and Vivaldi.
Figure 7 – Targeted web browsers
FILE GRABBER
The stealer now steals the victim’s files from directories such as Desktop and
Documents using the main_FileGrabber() function. The figure below shows the
malware requesting permission to access files within the specified directories.
Figure 8 – Stealer requesting permission to access files
The code snippet in the figure below displays the main_FileGrabber() function,
which is implemented to grab files from the victim’s system.
Figure 9 – File grabber
COLLECTING SYSTEM INFORMATION
Subsequently, the malware starts the process of obtaining further
hardware-related information regarding the system, such as the Model name,
Hardware UUID, RAM size, the number of cores, and serial number, among other
information. This is illustrated in the figure below.
Figure 10 – Collected system information
COMMAND AND CONTROL (C&C)
Finally, the Atomic macOS stealer processes the stolen information by
compressing into ZIP and encoding it using Base64 format for exfiltration.
The stealer communicates with the below C&C server URL and sends the stolen
information.
* hxxp[:]//amos-malware[.]ru/sendlog
The figure below shows the network communication of data exfiltration from the
victim’s machine.
Figure 11 – Exfiltrated data
Concurrently, the Atomic macOS stealer sends selected information to Telegram
channels along with the compiled ZIP file, as shown below.
Figure 12 – Sending ZIP file to Telegram channel
C&C PANEL
The below figure shows Atomic macOS stealer’s active C&C panel.
Figure 13 – AMOS C&C panel
CONCLUSION
Due to its robust security features, macOS is the preferred operating system for
numerous high-profile individuals. Targeting macOS is not a novel trend, and
various malware families exist that specifically aim to infiltrate this
operating system.
Malware such as the Atomic macOS Stealer could be installed by exploiting
vulnerabilities or hosting on phishing websites. Threat Actors can use the
stolen data for espionage or financial gain. While not commonplace, macOS
malwares can have devastating impacts on victims.
OUR RECOMMENDATIONS
We have listed some essential cybersecurity best practices that create the first
line of control against attackers. We recommend that our readers follow the best
practices given below:
* Download and install software only from the official Apple App Store.
* Use a reputed antivirus and internet security software package on your
system.
* Use strong passwords and enforce multi-factor authentication wherever
possible.
* Enable biometric security features such as fingerprint or facial recognition
for unlocking the device wherever possible.
* Be wary of opening any links received via emails delivered to you.
* Be careful while enabling any permissions.
* Keep your devices, operating systems, and applications updated.
MITRE ATT&CK® TECHNIQUES
TacticTechnique IDTechnique NameExecutionT1204.002User Execution: Malicious
FileCredential AccessT1110Brute ForceCredential
AccessT1555.001KeychainCredential AccessT1555.003Credentials from Web
BrowsersDiscoveryT1083File and Directory DiscoveryCommand and
ControlT1132.001Data Encoding: Standard EncodingExfiltrationT1041Exfiltration
Over C&C Channel
INDICATORS OF COMPROMISE (IOC)
IndicatorsIndicators TypeDescription5e0226adbe5d85852a6d0b1ce90b2308
0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a
15f39e53a2b4fa01f2c39ad29c7fe4c2fef6f24eff6fa46b8e77add58e7ac709MD5
SHA1
SHA256Setup.dmgamos-malware[.]ruDomainC&Chxxp[:]//amos-malware[.]ru/sendlogURLC&C
RELATED
MALICIOUS TOOLS IN THE UNDERGROUND: INVESTIGATING THEIR PROPAGATION
Cyble Research & Intelligence Labs investigates the recent promulgation of
Malicious Tools in underground forums.
June 16, 2023
In "Darkweb"
TITAN STEALER: THE GROWING USE OF GOLANG AMONG THREAT ACTORS
CRIL analyzes Titan Stealer, a Golang based information stealer working as MaaS
as well as it's C&C panel.
January 25, 2023
In "Infostealer"
LOLI STEALER – GOLANG-BASED INFOSTEALER SPOTTED IN THE WILD
Cyble analyzes LOLI Stealer - a Golang-based infostealer in the wild leveraging
a Malware as a Service (MaaS) model.
August 3, 2022
In "Cybercrime"
Post navigation
← Previous Post
Next Post →
RELATED POSTS
HAZARD TOKEN GRABBER
4 Comments / Data Leak, Infostealer, Malware, Stealer / By cybleinc
Cyble analyzes Hazard Token Grabber, an upgraded info stealer primarily
targeting Discord users.
Read More »
BUMBLEBEE LOADER ON THE RISE
1 Comment / Malware, Ransomware, Stealer, Trojan / By cybleinc
Cyble analyzes Bumblebee, a new malware variant on the rise that delivers Cobalt
Strike Beacons and other malware onto victim systems.
Read More »
Comments are closed.
Search for:
RECENT POSTS
* Android Users in South Korea targeted by spyware linked to Chinese Threat
Actor
* Low-profile Threat Actor observed imitating NoEscape Ransomware
* Threat Actors orchestrate cyber-attacks on vulnerable Ivanti products
* New Remo Android Banking Trojan Targets Over 50 Banking Applications And
Crypto Wallets
* Threat Actor Employs PowerShell-Backed Steganography in Recent Spam Campaigns
CATEGORIES
* 2020
* 2021
* 2022
* 2023
* Adware
* All
* Android
* Annoucement
* APK Ransomware
* APT
* Banking Trojan
* Banking Trojan
* Clipper
* Cryptocurrency
* Cryptominer
* Cyberattack
* Cybercrime
* Cyberwarfare
* Darkweb
* Data Breach
* Data Leak
* DDOS
* Elasticsearch
* Exploit
* Exploit
* Fake App
* Fraud
* General
* Hacktivism
* ICS/SCADA
* Industrial Control Systems
* Infostealer
* Malware
* OSINT
* Phishing
* Press
* Ransomware
* Red Teaming
* Remote Access Trojan
* Scam
* Spyware
* Stealer
* Tech Scam
* Telecommunications
* Trojan
* Vulnerability
QUICK LINKS
Main Menu
* Home
* About Us
* Blog
* Press
* Cyble Partner Network (CPN)
* Responsible Disclosure
PRODUCTS
Main Menu
* Cyble Vision
* Cyble Hawk
* AmIBreached
* Cyble Odin
* The Cyber Express
SOLUTIONS
Main Menu
* Dark Web & Deep Web
* Attack Surface Management
* Brand Intelligence
* Cyber Threat Intelligence
* Vulnerability Management
* Takedown and Disruption
PRIVACY POLICY
Main Menu
* Cyble Vision
* AmIBreached
© 2023. Cyble Inc.(Leading Cyber Threat Intelligence Company). All Rights
Reserved
Twitter Linkedin Youtube
Scroll to Top
Loading Comments...
Write a Comment...
Email Name Website
We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our advertising partners use cookies and similar
technologies on this site and use personal data (e.g., your IP address). If you
consent, the cookies, device identifiers, or other information can be stored or
accessed on your device for the purposes described below. You can click "Allow
All" or "Decline All" or click Settings above to customize your consent.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalized content profile; ●
Select personalised content; ● Personalized ads, ad measurement and audience
insights; ● Product development. For some of the purposes above, our advertising
partners: ● Use precise geolocation data. Some of our partners rely on their
legitimate business interests to process personal data. View our advertising
partners if you wish to provide or deny consent for specific partners, review
the purposes each partner believes they have a legitimate interest for, and
object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences