Researchers have discovered a new macOS malware-for-hire that can steal user passwords, iCloud Keychain, browser and crypto wallet data, all for $1000 a month. The malware, dubbed Atomic macOS Stealer (or AMOS) is being advertised on Telegram and even offers additional ‘services’ including a web panel for managing victims and sharing logs right inside Telegram.
It was discovered by the Cyble Research and Intelligence Labs (CRIL), that reports that the threat actor is constantly improving the malware and adding new capabilities, with the last update being highlighted in a Telegram post on April 25.
In addition to stealing the aforementioned data, the malware can also extract auto-fills, passwords, cookies, wallets and credit card information as well as target specific crypto wallets like Electrum, Binance, Exodus, Atomic and Coinomi with over 60 ‘plugins’ for MetaMask, Phantom and other wallets. It can grab system information as well as files from the desktop and documents folders. Affected browsers also include just about every mainstream macOS browser including Chrome, Firefox, Brave, Edge, Vivaldi, Yandex, Opera and OperaGX.
Once you’ve subscribed to the service, the threat actors give you access to an online AMOS portal to help manage victims with the option of sending “crime logs” and other stolen data straight to your Telegram account. Subscribers also get access to what the threat actors are calling a “beautiful DMG installer”. Similar to .EXE files on Windows, .DMG or Apple Disk Image files are used by legitimate software developers as an easy-to-use way of delivering macOS apps. A DMG installer built into the malware is likely aimed at improving the chances of installation on a target system.
The malware itself isn’t exactly state of the art and doesn’t really do anything very complicated to steal your data. Passwords are stolen simply by showing the user a fake prompt suggesting that macOS itself wants to access the system prefernces. While the keen-eyed might spot the prompt as a fake, the everyday macOS user might end up giving away their password.