Monday, February 17, 2025
HomeCyber Security NewsHackers are Selling a new Atomic macOS (AMOS) Stealer on Telegram

Hackers are Selling a new Atomic macOS (AMOS) Stealer on Telegram

Published on

SIEM as a Service

Follow Us on Google News

Atomic macOS Stealer (AMOS) is a recent information-stealing malware capable of attacking macOS to steal confidential information.

This malware was discovered by Cyble Research and Intelligence Labs (CRIL) on a telegram channel where the threat actor was advertising the malware. Its latest update was reported to be on April 25th. 

The threat actor advertised additional services like web panel, meta-mask brute force for seed and private keys, dmg installer, and crypto checker. The cost of these services was $1000 a month, as posted by the threat actor.

Telegram advertisement of AMOS

Technical Analysis

The malware was found under the name “Setup.dmg, “ an extension for installing applications on macOS.

Further analysis revealed that the malware could not only steal passwords and sensitive files but also get Wi-Fi passwords, credit card information, and browser-based sensitive data like auto-fills, passwords, cookies, and other sensitive information.

Before getting on to the stealing part, the malware provides a Fake password prompt to the victim to get the system password.

KeyChain Extraction

KeyChain is the application used in macOS for storing all the credentials, network IDs, Wi-Fi passwords, administrative passwords, etc.; this malware is capable of Keychain Extraction (keys for all the built-in, connected network credentials, credit card details, and macOS passwords). 

Key chain Extraction

Crypto Wallet Theft

The malware also can target crypto wallets and steal sensitive information from Crypto wallets like Electrum, Binance, Atomic, and Exodus. This is done with a list of browser extensions provided by the Crypto wallet vendors to their clients for easy access.


Control Panel Services

Buyers of this malware can be presented with an admin panel where they can manage all the information, which is an add-on service provided by the threat actor.

C&C Panel for AMOS

Browser-Information Extraction

Browser-based sensitive information like Autofills, Credit cards, passwords, and cookies can be stolen with this malware. It is written to target files from various browsers like Opera, Firefox, Chrome, Yandex, Edge, and Vivaldi.

Desktop and Documents File Grabbing

The malware steals files from the “Desktop” and “Documents” directories if the victim grants permission. Once permission is granted, the malware steals the files on these directories and stores them on the C&C server.

Malware asking for permission from the victim

Hardware Information

System hardware information like UUID, Device model name, RAM size, Cores, Serial number, and other information can be stolen by this malware.

Processing the Stolen Information

Once the malware collects all this information, the data is zipped and base64 encoded as part of the exfiltration. This zip file is then sent to the “hxxp[:]//amos-malware[.]ru/sendlog” which acts as the C&C server

Configuring with Telegram

The most important functionality is that this malware can be configured with a Telegram channel which receives the logs on the malware’s activity. This includes the number of cookies, wallets, passwords, and other information.

Cyble has released a complete analysis report on this malware. Though macOS is said to have been secure and reliable, it is recommended for organizations be secure from threat actors.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Ransomware Gangs Encrypt Systems 17 Hours After Initial Infection

Ransomware gangs are accelerating their operations, with the average time-to-ransom (TTR), the period between...

Stealthy Malware in WordPress Sites Enables Remote Code Execution by Hackers

Security researchers have uncovered sophisticated malware targeting WordPress websites, leveraging hidden backdoors to enable...

Xerox Printer Vulnerability Exposes Authentication Data Via LDAP and SMB

A critical security vulnerability in Xerox’s Versalink C7025 Multifunction Printer (MFP) has been uncovered,...

New XCSSET Malware Targets macOS Users Through Infected Xcode Projects

Microsoft Threat Intelligence has identified a new variant of the XCSSET macOS malware, marking...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Ransomware Gangs Encrypt Systems 17 Hours After Initial Infection

Ransomware gangs are accelerating their operations, with the average time-to-ransom (TTR), the period between...

Stealthy Malware in WordPress Sites Enables Remote Code Execution by Hackers

Security researchers have uncovered sophisticated malware targeting WordPress websites, leveraging hidden backdoors to enable...

Xerox Printer Vulnerability Exposes Authentication Data Via LDAP and SMB

A critical security vulnerability in Xerox’s Versalink C7025 Multifunction Printer (MFP) has been uncovered,...