New Atomic macOS Malware Steals Keychain Passwords and Crypto Wallets

Threat actors are advertising a new information stealer for the Apple macOS operating system called Atomic macOS Stealer (or AMOS) on Telegram for $1,000 per month, joining the likes of MacStealer.

“The Atomic macOS Stealer can steal various types of information from the victim’s machine, including Keychain passwords, complete system information, files from the desktop and documents folder, and even the macOS password,” Cyble researchers said in a technical report.

Among other features include its ability to extract data from web browsers and cryptocurrency wallets like Atomic, Binance, Coinomi, Electrum, and Exodus. Threat actors who purchase the stealer from its developers are also provided a ready-to-use web panel for managing the victims.

The malware takes the form of an unsigned disk image file (Setup.dmg) that, when executed, urges the victim to enter their system password on a bogus prompt to escalate privileges and carry out its malicious activities — a technique also adopted by MacStealer.

The initial intrusion vector used to deliver the malware is immediately not clear, although it’s possible that users are manipulated into downloading and executing it under the guise of legitimate software.

The Atomic stealer artifact, submitted to VirusTotal on April 24, 2023, also bears the name “Notion-7.0.6.dmg,” suggesting that it’s being propagated as the popular note-taking app. Other samples unearthed by the MalwareHunterTeam have been distributed as “Photoshop CC 2023.dmg” and “Tor Browser.dmg.”

“Malware such as the Atomic macOS Stealer could be installed by exploiting vulnerabilities or hosting on phishing websites,” Cyble noted.

Atomic then proceeds to harvest system metadata, files, iCloud Keychain, as well as information stored in web browsers (e.g., passwords, autofill, cookies, credit card data) and crypto wallet extensions, all of which are compressed into a ZIP archive and sent to a remote server. The ZIP file of the compiled information is then sent to pre-configured Telegram channels.

The development is another sign that macOS is increasingly becoming a lucrative target beyond nation-state hacking groups to deploy stealer malware, making it imperative that users only download and install software from trusted sources, enable two-factor authentication, review app permissions, and refrain from opening suspicious links received via emails or SMS messages.

Second Variant of Atomic Stealer Found

SentinelOne, in a follow-up analysis published earlier this week, disclosed details of a previously unreported second variant of Atomic Stealer and the use of Google Ads as a distribution vector for the malware.

The new version masquerades as a game installer and incorporates a “larger number of functions focusing on Firefox and Chromium browsers” but at the same time leverages game-related lures to target cryptocurrency users.

Additionally, the presence of grammatical and spelling errors is an indication that the developer’s first language is likely not English. The identity of the threat actor behind Atomic Stealer is currently unknown.

Another significant trait of Atomic Stealer is its lack of persistence mechanism due to a macOS Ventura feature that alerts users when new apps or services are added to the list of “login items” that are automatically executed when the device starts. Instead, it opts to steal as much information as possible in what’s a smash-and-grab attack.

“Infostealers targeted at Mac users have become increasingly viable for threat actors now that Macs have reached widespread use in organizations, both for work and personal use,” SentinelOne researcher Phil Stokes said.

“As many Mac devices lack good external security tools that can provide both visibility and protection, there is plenty of opportunity for threat actors to develop and market tools to aid cybercriminals.”

Posted in Exploit, Vulnerability.