New Atomic macOS Malware Steals Keychain Passwords and Crypto Wallets
Cyber Security Threat Summary:
“Threat actors are advertising a new information stealer for the Apple macOS operating system called Atomic macOS Stealer (or AMOS) on Telegram for $1,000 per month, joining the likes of MacStealer. ‘The Atomic macOS Stealer can steal various types of information from the victim's machine, including Keychain passwords, complete system information, files from the desktop and documents folder, and even the macOS password,’ Cyble researchers said in a technical report. Among other features include its ability to extract data from web browsers and cryptocurrency wallets like Atomic, Binance, Coinomi, Electrum, and Exodus. Threat actors who purchase the stealer from its developers are also provided a ready-to-use web panel for managing the victims” (The Hacker News, 2023).
Security Officer Comments:
As of writing it is unclear how Atomic is being distributed. However, typically methods of distribution for info-stealers include phishing emails, fake download pages under the guise of legitimate software, and through the exploitation of known vulnerabilities. According to researchers, the malware is being propagated as unsigned dmg files which when executed prompt the victim to enter their system credentials.
“The Atomic stealer artifact, submitted to VirusTotal on April 24, 2023, also bears the name "Notion-7.0.6[.]dmg," suggesting that it's being propagated as the popular note-taking app. Other samples unearthed by the MalwareHunterTeam are distributed as "Photoshop CC 2023[.]dmg" and "Tor Browser[.]dmg.”
If the victim falls for this lure, the malware is able to escalate privileges and perform its various info-stealing tasks. “Atomic then proceeds to harvest system metadata, files, iCloud Keychain, as well as information stored in web browsers (e.g., passwords, autofill, cookies, credit card data) and crypto wallet extensions, all of which are compressed into a ZIP archive and sent to a remote server. The ZIP file of the compiled information is then sent to pre-configured Telegram channels” (The Hacker News, 2023).
Suggested Corrections:
Avoid downloading software from third party sites as actors will typically host domains offering fake software downloads to infect unsuspecting users with malicious payloads. It also important that organizations train their employees on how to detect and avoid phishing emails as these are also leveraged as an initial infection vector.
Link:
https://thehackernews.com/2023/04/new-atomic-macos-stealer-can-steal-your.html