FOCUS MODE
EXTRACT IOC
Threat Research

Atomic Stealer: Dissecting 2024’s Most Notorious macOS Infostealer

Picussecurity
Atomic Stealer: Dissecting 2024’s Most Notorious macOS Infostealer
The Atomic macOS Stealer (AMOS) is a sophisticated malware that targets macOS systems to extract sensitive user information such as passwords, cryptocurrency wallet data, and browser cookies. The malware employs deceptive tactics like phishing and disguised applications to bypass security measures, making it a significant threat to macOS users. Affected: macOS systems, users with sensitive information, cryptocurrency wallets

Keypoints :

  • Atomic macOS Stealer (AMOS) is designed for data exfiltration from macOS users.
  • It collects sensitive information, including Keychain passwords and cryptocurrency wallets.
  • AMOS utilizes techniques such as deceptive ads and counterfeit applications for distribution.
  • It employs AppleScript to harvest passwords and obfuscate its operations.
  • The malware executes data exfiltration via HTTP POST requests to command-and-control servers.
  • Effective defenses against AMOS include behavioral monitoring and incident response preparations.

MITRE Techniques :

  • Initial Access (TA0001) – T1566.002: Phishing via spearphishing links and fake application installers.
  • Execution (TA0002) – T1204.002: User execution of malicious files, often through deceptive installer prompts.
  • Execution (TA0002) – T1059.002: Command and scripting interpreter using AppleScript for malicious prompts.
  • Defense Evasion (TA0005) – T1027: Obfuscation through XOR encoding to evade detection.
  • Credential Access (TA0006) – T1555.001: Captures user passwords and accesses the macOS Keychain.
  • Discovery (TA0007): Gathers system information using various commands to tailor TTPs.
  • Collection (TA0009) – T1005: Collects data from local systems including cookies and notes.
  • Exfiltration (TA0010) – T1041: Exfiltration of collected data over command-and-control channels.

Indicator of Compromise :

  • [URL] aricl[.]net
  • [IP Address] 193.233.132.188
  • [IP Address] 46.101.104.172
  • [File] Cookies.binarycookies
  • [File] NoteStore.sqlite

Full Story: https://www.picussecurity.com/resource/blog/atomic-stealer-amos-macos-threat-analysis

Views: 29

Tags: PHISHING, EDR, DISCOVERY, APPLE, IMPACT, MACOS, BROWSER, RECONNAISSANCE