New Atomic MacOS Stealer malware identified

There’s more Mac malware doing the rounds, actively being sold as malware as a service on Telegram and the dark net.

The malware, called AtomicStealer, Atomic macOS Stealer or AMOS, enables nefarious characters to create malware to wreak havoc with Mac systems.

Someone has been seen on the Telegram social network offering AtomicStealer as a service for $1,000 per month. This is one of a number of newer malware as a service offerings, which seems to be an increasing trend.

“The Atomic macOS Stealer can steal various types of information from the victim’s machine, including Keychain passwords, complete system information, files from the desktop and documents folder, and even the macOS password,” said Cyble who reported the malware.

How does AtomicStealer get into your Mac?

AtomicStealer is very clever in how it works. Once on a target machine, it shows a fake login popup on the desktop that looks identical to the macOS version.

It is delivered as an unsigned disk image file called Setup.dmg. When executed, the file creates a fake login popup and requests an escalation login to be able to run the file.

The file has been seen in a few guises and seems to be offered as downloads of popular apps.

The MalwareHunter team has also identified fake Photoshop and MyGo files containing the malware.

What does AtomicStealer do next?

Once the user logs in, the details are recorded and reported back to the malware server.

Once inside, AtomicStealer can deliver a number of payloads. It’s up to the user of the malware what payload they want to use, and there seems to be several.

It seems mainly interested in capturing Keychain passwords, recording passwords from elsewhere on your system and setting stay-logged-in session cookies for all browsers.

It also harvests any credit card details stored in your browser and any autofill information you have.

There is also a payload that purportedly steals crypto from up to 50 different types of digital wallet.

Those wallets include more popular options like Atomic, Binance, Coinomi, Electrum, and Exodus.

Once the data has been collected, it’s zipped up and sent to a remote server, which in turn, pings a dedicated Telegram channel to notify the person managing the malware.

Gamer variant of AtomicStealer

If anyone in your business is a gamer, there’s also a special version of AtomicStealer that targets them.

First detected by SentinelOne, this version appears as a game installer. This is a more limited version that targets browser data and crypto wallets.

How to protect against AtomicStealer

There is no data yet telling us whether AtomicStealer is targeting businesses or not, but it’s safe to assume it is.

As far as we know right now, AtomicStealer is mainly being delivered as a download. Either a fake file, game installer or within a copy of pirated software.

The best way to protect against it is to block downloads and educate Mac users on staff to the risk.

Alerting users to the threat vector and common symptoms, including the fake login popup is the most effective way to avoid this type of attack.

It may also be beneficial to ensure your security solution is updated to scan for AtomicStealer indicators of compromise, which are readily available.