Cybercriminals advertise Atomic macOS stealer on Dark Web
A new information stealer for Apple macOS, called Atomic macOS Stealer (AMOS), is being advertised on Telegram for $1,000 per month.
According to a recent research from Cyble, the malware can steal various types of information from the victim’s machine, including passwords, system information, and files. It can also extract data from web browsers and cryptocurrency wallets.
The malware takes the form of an unsigned disk image file and urges the victim to enter their system password on a bogus prompt to escalate privileges and carry out its malicious activities.
The initial intrusion vector used to deliver the malware is not clear, but it’s possible that users are manipulated into downloading and executing it under the guise of legitimate software. The malware could be installed by exploiting vulnerabilities or hosting on phishing websites.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
|---|---|---|
| Execution | T1204.002 | User Execution: Malicious File |
| Credential Access | T1110 | Brute Force |
| Credential Access | T1555.001 | Keychain |
| Credential Access | T1555.003 | Credentials from Web Browsers |
| Discovery | T1083 | File and Directory Discovery |
| Command and Control | T1132.001 | Data Encoding: Standard Encoding |
| Exfiltration | T1041 | Exfiltration Over C&C Channel |
Indicators of Compromise
| SHA256/Domain/URL |
|---|
| 15f39e53a2b4fa01f2c39ad29c7fe4c2fef6f24eff6fa46b8e77add58e7ac709 |
| amos-malware[.]ru |
| hxxp[:]//amos-malware[.]ru/sendlog |