Security experts have raised warnings about a new piece of malware that targets MacOS devices to steal sensitive information including saved passwords, credit card numbers and data from over 50 cryptocurrency browser extensions.
Dubbed ‘Atomic’ – also known as ‘AMOS’ – the threat is being sold on the infamous encrypted messaging app Telegram, which has a reputation as a platform for sharing illicit material and content, for $1,000 per month.
It comes with several features that make it easier for threat actors to carry out their crimes, such as a web panel to help management their victims, a MetaMask brute-forcer, a cryptocurrency checker, a dmg installer, and the ability to receive stolen logs on Telegram.
Undetectable
Researchers at both Trellix (opens in new tab) and Cyble labs (opens in new tab) have been tracking the malware, and found that the latest version release was on April 25, suggesting that developments and updates are ongoing.
What’s more, the tool is proving hard to detect, with under 2% of antivirus software flagging the dmg file as malicious.
Threat actors can infect users with the malware via the usual methods, such as phishing emails, social media posts, malvertising campaigns, bad torrents and the like.
When the victim opens the dmg file, they are given a fake prompt to enter their master password for their device, which the malware steals to gain entry. It then tries to steal user information saved in Apple’s proprietary password manager Keychain.
It then tries to steal information from installed software on the system, such desktop cryptocurrency wallets from the likes of Electrum, Binance, Exodus, and Atomic, as well as 50 other wallet extensions which include Trust Wallet, Exodus Web3 Wallet, Jaxx Liberty, and BinanceChain.
Web browser data is also extracted, such as passwords and payment cards saved on Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera, and Vivaldi. System information such as model name, serial numbers, hardware UUID, RAM size and core count is also scoured.
Atomic can also steal files directly from directories such as the Desktop and Documents folders. But in doing this, the malware has to request permission from the system, which the user is notified of, so this may give them opportunity to spot the infection.
The stolen data is compressed into a zip file and sent to the command and control server of the threat actor, which, interestingly, has the same IP address as that used by the Raccoon Stealer, suggesting a link between the two.
Apple devices aren’t usually targeted as much with malware as Windows machines, but it appears this is beginning to change, as a recent report has claimed that such threats are on the rise.