Atomic macOS Stealer - Backdoor allows hackers to remotely access the victim's machine

Atomic macOS Stealer (AMOS) - an infostealer targeting macOS users, has recently made a significant leap from being a simple information-stealing tool to becoming a sophisticated, persistent threat with the ability to maintain long-term access to compromised systems.

Specifically, in a report published on the Polyswarm blog by The Hivemind, it is noted that AMOS has developed a backdoor capable of restarting with the system, allowing remote access, deploying additional malware on the victim's machine, and easily bypassing defenses on macOS systems.

According to the latest statistics, AMOS attack campaigns have affected over 120 countries worldwide, with the US, France, Italy, the UK, and Canada being the most impacted by this information-stealing malware. This malware is mainly spread through two primary channels:

1. Websites offering cracked software or fake malicious software.

2. Sophisticated spear-phishing campaigns targeting individuals, especially those holding cryptocurrency, prominent individuals, and freelancers.

One common scenario for spreading AMOS is attacks disguised as job interview processes, tricking victims into installing .DMG files containing malware, then asking users to enter their system password under the pretense of "activating screen-sharing software." Once the file is executed, AMOS is deployed and begins stealing the victim's sensitive data, such as browser passwords and cryptocurrency wallet seed phrases, while also deploying a backdoor to maintain access to the system. Additionally, security experts warn that a keylogger may be under development alongside AMOS, significantly increasing this malware's ability to steal information.

The Hivemind report also states that to persist longer on the victim's system, AMOS has implemented a series of sophisticated mechanisms as follows:

1. Install .helper, saved as a hidden file in the user's home directory, and deploy a wrapper script named .agent to ensure the backdoor runs continuously.

2. Create a LaunchDaemon labeled com.finder.helper installed via AppleScript to ensure the backdoor starts with the system.

3. Establish communication with the C2 server through HTTP POST requests every 60 seconds.

4. Use string obfuscation techniques to obscure character strings, and use system_profiler to check the sandbox environment and virtualization to avoid detection.

Recommendations & Mitigation

The consequences for macOS users are very serious, as AMOS has far exceeded the limits of traditional information-stealing tools, posing a risk of prolonged intrusion. As AMOS continues to evolve, early user awareness and the implementation of advanced endpoint protection solutions are crucial to safeguarding macOS systems against this persistent and growing threat.

Some measures users can take to prevent and mitigate the risk of information insecurity from this type of malware include:

1. Use software from reputable, verified providers: Only download software from the App Store or official websites, and avoid cracked software or suspicious links.

2. Do not open files or links from strange emails or messages, especially if they request your system password.

3. Regularly update software and security patches: Always update macOS and applications to fix security vulnerabilities.

4. Use security measures: Install antivirus software for macOS and regularly scan the system.

IOCs

References

1. Atomic Stealer Evolves