If you press a malicious link on a Mac, it will most likely lead to the Atomic MacOS Stealer (AMOS). Since its emergence in April last year, this malware has become a go-to choice for hackers stealing crypto, passwords, and session tokens. Due to high demand, its cost has tripled.
New threat research released by Sophos X-Ops reveals a concerning trend affecting macOS users – mainstream malware is now beginning to hit Macs regularly.
AMOS is the main culprit. This malware is one of the most common strains among infostealers, and this type of malware accounts for over 50% of all macOS directions in the last six months.
“There was historically a tendency to believe that macOS was less susceptible to malware than Windows, possibly because the operating system has a lower market share than Windows and a native suite of security features,” the report reads.
“Over time, that’s changed.”
AMOS is a specialized malicious tool for stealing sensitive data, such as cookies, passwords, autofill data, or the contents of cryptocurrency wallets. Compromised machines send the collected information to a threat actor, who will most likely sell it to other cybercriminals specializing in data exploitation.
The market for ‘logs’ – stolen data in cybercrime circles – is booming, raising AMOS’s price.
“The price of AMOS has tripled in the past year – which speaks both to the desire to target macOS users and the value of doing so to criminals,” Sophos researchers say.
Initially sold for $1000 a month, the malware’s price has now risen to $3000 per month, as advertised on public Telegram channels. The price for a lifetime license was not disclosed.
Hackers boast on Telegram that AMOS is capable of collecting information from Notes, Keychain, and SystemInfo, obtaining the MacOS password, and targeting popular browsers, exfiltrating auto-fills, cookies, and passwords (for Safari – cookies only). The list of affected crypto wallets and plugins includes Electrum, Binance, Exodus, Atomic, and Coinomi.
The malware allegedly launches with the console being hidden.
Finding victims and deploying the malware is not that hard, as cybercriminals recently started shifting from traditional phishing to search results poisoning with malvertising and SEO optimization. This way, malicious websites appear on top of search results.
“Some of the legitimate applications we’ve seen AMOS imitate in this manner include Notion, a productivity app; Trello, a project management tool; the Arc browser, Slack; and Todoist, a to-do-list application,” Sophos researchers said.
Malicious ads extend to social media. Some of the observed examples were fake installers for “Clean My Mac X,” which is a legitimate application.
Threat actors abuse legitimate infrastructure, such as GitHub, to host AMOS binaries.
AMOS has evolved in more than a year since its emergence. To evade detection, its code has been obfuscated. Rather than Mach-O executables, recent variants also include Python scripts that reimplement previous functions, likely to avoid detection.
Sophos warns that Atomic Malware creators now claim capabilities for iOS too.
“Well, the iPhone is opened. We are expecting a new iOS product for the masses. The tests have shown success. The price will be appropriate,” one of the cybercriminal’s posts reads.
The EU’s Digital Markets Act (DMA) obliges Apple to open the platform to alternative app marketplaces, and this may be a possible driving force for malware developers. They may start distributing iOS versions of AMOS from malicious websites, as they’re currently doing to target macOS users.
For now, all stealers on macOS were distributed outside the official Apple store and were not verified. Therefore, threat actors must rely on social engineering to get users to download the stealer and interact with a pop-up asking for permissions and passwords.
AMOS is not the only player in town – other rivals include MetaStealer, KeySteal, and CherryPie.
Sophos X-OPS recommends only installing trusted software from legitimate sources and paying attention to any pop-ups requesting passwords or privileges.
Your email address will not be published. Required fields are markedmarked