Security experts have warned of a new piece of malware targeting MacOS devices to steal sensitive information, including stored passwords, credit card numbers and data from over 50 cryptocurrency browser extensions.
Dubbed ‘Atomic’ – also known as ‘AMOS’ – the threat is being sold on the notorious encrypted messaging app Telegram, which has a reputation as a platform for sharing illegal material and content, for $1,000 per month.
It comes with several features that make it easier for threat actors to carry out their crimes, such as a web panel to help manage their victims, a MetaMask brute-forcer, a cryptocurrency controller, a dmg installer, and the ability to receive stolen logs on Telegram.
Undetectable
Scientists know both Trellix (opens in a new tab) and Cyble labs (opens in a new tab) has been tracking the malware, and found that the last version release was on April 25, indicating that development and updates are ongoing.
Also, the tool proves difficult to detect, with less than 2% of antivirus software flagging the dmg file as malicious.
Threat actors can infect users with malware via common methods, such as phishing emails, social media posts, malvertising campaigns, bad torrents, and the like.
When the victim opens the dmg file, they get a fake message to enter the device master password, which the malware steals to gain entry. It then tries to steal user information stored in Apple’s proprietary password manager Keychain.
It then tries to steal information from installed software on the system, such as desktop cryptocurrency wallets from the likes of Electrum, Binance, Exodus, and Atomic, as well as 50 other wallet extensions that include Trust Wallet, Exodus Web3 Wallet, Jaxx Liberty, and BinanceChain.
Browser data is also extracted, such as passwords and payment cards stored on Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera and Vivaldi. System information such as model name, serial number, hardware UUID, RAM size and core count are also scanned.
Atomic can also steal files directly from directories such as the Desktop and Documents folders. However, by doing this, the malware must request permission from the system, which the user is notified about, so this may allow them to detect the infection.
The stolen data is compressed into a zip file and sent to the command and control server of the threat actor, which interestingly has the same IP address as the one used by the Raccoon Stealer, suggesting a link between the two.
Apple devices are not typically targeted with malware as much as Windows machines, but it seems that this is starting to change, as a recent report has claimed that such threats are on the rise.
