Apple’s macOS operating system has generally been considered to be a less attractive target for malware authors when compared to the Windows operating system. However, we do see new macOS malware pop up from time to time, especially as the Mac has become more popular in the last decade or so. Now, a new Mac malware is in the wild that users should be aware of.
The new malware, called Atomic macOS Stealer (AMOS), was found on Telegram by Cyble Research. Access to the malware was being sold by a Telegram user. The malware is designed to steal sensitive information like usernames and passwords.
The unknown malware author behind the Atomic macOS Stealer is apparently working behind the scenes to improve the malware and to make it more effective. The current version of AMOS can access keychain passwords, system information, desktop and documents folder contents, and the Mac password.
The malware has the ability to target multiple browsers, extracting auto-fills, passwords, cookies, wallets, and credit card information. AMOS can also target cryptowallets, including Atomic, Binance, Electrum, Exodus, and Coinomi.
In addition to obtaining the above information, the malware also targets the Keychain macOS password management tool to extract information from the victim’s machine. Keychain allows users to safely store sensitive data, including WiFi passwords, credit card details, website logins, and more.
AMOS is available with a web panel, making it easy to manage the malware’s targets, and includes tools to brute-force private keys. The malware and its accompanying service are available as software for rent on Telegram for $1,000 per month.
The malware is installed on a victim’s Mac via a .dmg file and once installed, immediately begins probing for sensitive information, sending it to a remote server. A fake system prompt is used to obtain access to the Mac system password, also asking for access to files located in desktop and documents folders.
As the malware require the users to open a .dmg file to install it, users can avoid infection by simply not installing untrusted software from unverified development sources. Users are recommended to only install software from the Mac App Store. They are also urged to use strong and unique passwords, and to use biometric authentication and multi-factor authentication whenever possible.
Users should also avoid clicking links in emails and text messages, avoid opening attachments in emails, think twice before granting permissions to an app, and to keep their apps and operating systems updated.
