New Atomic macOS info-stealing malware targets 50 crypto wallets

A new macOS information-stealing malware named 'Atomic' (aka 'AMOS') is being sold to cybercriminals via private Telegram channels for a subscription of $1,000 per month.

For this hefty price, buyers get a DMG file containing a 64-bit Go-based malware designed to target macOS systems and steal keychain passwords, files from the local filesystem, passwords, cookies, and credit cards stored in browsers.

The malware also attempts to steal data from over 50 cryptocurrency extensions, which have become a popular target for information-stealing malware.

For the price, cybercriminals also get a ready-to-use web panel for easy victim management, a MetaMask brute-forcer, a cryptocurrency checker, a dmg installer, and the ability to receive stolen logs on Telegram.

The malware was recently spotted by a Trellix researcher and researchers at Cyble labs, who analyzed a sample of 'Atomic' and reported that the author released a new version on April 25, 2023, so this is an actively developed project.

At the time of writing, the malicious dmg file goes largely undetected on VirusTotal, where only one out of 59 AV engines flag it as malicious.

As for its distribution, buyers are responsible for setting up their own channels, which may include phishing emails, malvertizing, social media posts, instant messages, black SEO, laced torrents, and more.

Atomic features

The Atomic Stealer boasts a comprehensive array of data-theft features, providing its operators with enhanced opportunities for penetrating deeper into the target system.

Upon executing the malicious dmg file, the malware displays a fake password prompt to obtain the system password, allowing the attacker to gain elevated privileges on the victim's machine.

This is a requirement for accessing sensitive information, but a future update might also leverage it for changing system settings or installing additional payloads.

After this first compromise, the malware attempts to extract the Keychain password, macOS' built-in password manager that holds WiFi passwords, website logins, credit card data, and other encrypted information.

Having done the above, Atomic proceeds to extract information from software that runs on the breached macOS machine, including the following:

Desktop cryptocurrency wallets: Electrum, Binance, Exodus, Atomic Cryptocurrency wallet extensions: 50 extensions are targeted in total, including Trust Wallet, Exodus Web3 Wallet, Jaxx Liberty, Coinbase, Guarda, TronLink, Trezor Password Manager, Metamask, Yoroi, and BinanceChain. Web browser data: auto-fills, passwords, cookies, and credit cards from Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera, and Vivaldi. System information: Model name, hardware UUID, RAM size, core count, serial number, and others.

Atomic also gives operators the capability to steal files directly from the victim's 'Desktop' and 'Documents' directories.

However, the malware must request permission to access these files, which creates an opportunity for victims to realize the malicious activity.

When stealing data, the malware will pack it all into a ZIP file and then send it to the threat actor's command and control server, which Cyble says is located at "amos-malware[.]ru/sendlog."

Of particular interest, the Trellix security researcher noted that the IP address associated with the Atmos command and control server and its build name are also used by the Raccoon Stealer, potentially linking the two operations.

From there, selected information and the ZIP archive are also sent to the operator's private Telegram channel.

Although macOS isn't at the epicenter of malicious info-stealer activity, like Windows, it is increasingly being targeted by threat actors of all skill levels.

A North Korean APT group recently deployed a novel macOS info-stealer in the 3CX supply chain attack, illustrating that Macs are now a target for even state-sponsored hacking groups.