A new piece of malware is being offered on the Telegram communication service that can be used to attack macOS users. As the security company Cyble Research reports, the so-called Atomic macOS Stealer, kurz AMOS, steal a variety of data from Mac, including keychains, browser passwords and cookies, and numerous crypto wallets. The software is distributed by crooks at a price of 1,000 US dollars a month, it said.
Based on Golang
AMOS was developed in the language published by Google Go. According to Cyble Research, the makers should regularly improve the malware and advertise it with new functions. The last update was on April 25th. “Target group” are therefore primarily attackers who are after their victims’ money, which can also be deduced from the relatively high price that the group behind AMOS demands.
Rental malware is also often offered for the Mac, often it is an offshoot of well-known PC malware that has been ported to macOS. AMOS now seems to have been developed specifically for Apple devices. The malware is sold as an installation file and can be customized by the buyer, writes Cyble Research. The malware is controlled via a Command & Control (C&C) server, which the creators have under their control – this way they are also able to demand their “subscription fee”.
Numerous functions, but the user must help
In practice, AMOS masters a total of six main functions: First, the bunch of keys and the passwords they contain are extracted, then the wallets of various apps such as Binance, Exodus or Electrum (including the attempt to decrypt the MetaMask private keys). It continues with the theft of central data from well-known browsers such as Chrome and its derivatives and Firefox. Finally, previously programmed files can also be extracted from the system and a system information file containing the technical data of the system attacked is created.
However, for AMOS to work at all, victims must be tricked into entering their password. A fake password prompt for the system settings appears. This one doesn’t look very real. However, the malware even provides “instructions” on how the user has to operate it. In addition, the app cannot be run immediately due to the lack of a developer signature – users have to go through the “Open” dialog here.
(bsc)
