Uncovering Atomic Stealer (AMOS) Strikes And The Rise Of Dead Cookies Restoration – Cyble

Key Takeaways

• CRIL discovered phishing websites pretending to be popular Mac applications and are spreading the Atomic Stealer (AMOS).
• At the time of publishing this analysis, these deceptive sites were operational.
• AMOS demonstrates continuous evolution with frequent updates, reflecting the developer’s unwavering commitment to refining its functionalities for malicious purposes.
• A recent enhancement in AMOS allows it to revive expired Google Chrome cookies, indicating a new trend in the InfoStealer landscape.
• We observed the release of a free code on a cybercrime forum that can revive dead cookies. This method was previously speculated to be sold for $500 around October 2023.
• This has spurred a trend of InfoStealers incorporating this technique.
• On January 20, 2024, Xehook Stealer was released, and within 2-3 days, the TA swiftly integrated the cookie revival feature, signifying a growing trend among InfoStealers
• The Command and Control center (C&C) used by all AMOS stealer payloads was mentioned in a report published in the second week of January, indicating a potential connection in campaigns or Threat Actors(TAs).

Overview

Cyble Research and Intelligence Labs (CRIL) found an updated version of AMOS Stealer being distributed through deceptive websites posing as genuine Mac applications, including Parallels Desktop, CleanMyMac, Arc Browser, and Pixelmator. Historically, the AMOS stealer has been disseminated through malvertising via Google Ads, serving as the main distribution method. In this approach, users searching for popular software, whether legitimate or cracked, on search engines encounter misleading ads that lead to websites hosting fraudulent installers. While we haven’t observed these fake sites utilizing SEO poisoning, there’s a possibility that TAs may employ this technique in the future to target a larger audience.

CRIL first discovered Atomic macOS Stealer (AMOS) in April 2023. This macOS-targeting malware is constantly refined by its developer and has added multiple new features since its discovery.

Atomic macOS Stealer (AMOS) is capable of stealing sensitive data from Mac devices. Its extensive reach spans across multiple browsers, allowing it to extract auto-fills, passwords, cookies, and financial details from various wallets.

However, AMOS goes beyond mere data theft. The threat actor (TA) responsible for AMOS offers additional services like a web panel, MetaMask brute-forcing, crypto checking, and a DMG installer. Surprisingly, these services used to cost $1000 each month, and now it has been raised to $3000 per month with few additional services. AMOS stealer has also joined the list of stealers who are offering services to revive dead cookies on Google Chrome.

The figure below shows the Telegram post.

Figure 1 – Telegram Post

Free Code Released for Restoring expired Google Chrome Cookies

On January 11, 2024, a TA shared a Curl command and Python code on a cybercrime forum, offering a method to restore expired Google Chrome cookies for free. Interestingly, a TA claimed that this method for restoring cookies was previously sold for $500 around October 2023.

Figure 2 – Post on cybercrime forum

While researchers have identified the technique employed by these TAs for restoring dead cookies, the release of free Code raises concerns, as it opens the door for various low-profile threat actors to incorporate this method into their malware payloads. The image below illustrates the post made on the cybercrime forum.

Figure 3 – Code for Reviving Dead Cookies

Furthermore, the TA also disclosed the Code for extracting the OAuth token and Account ID from the Google Chrome browser a few days later. Given the prevalence of Python-based stealers in the wild, there is a significant likelihood that this feature will be integrated into such malicious tools.

Figure 4 – Code for fetching tokens

Xehook Stealer surfaced on a cybercrime forum on January 20, 2024. Just three days after this appearance, the TA responsible for Xehook Stealer posted an update introducing a feature to restore dead Google Chrome cookies. This development strongly supports the assertion that TAs have indeed begun leveraging this particular method.

Figure 5 – Xehook stealer

Initial Infection

We found Atomic Stealer spreading through the following sites:

• hxxps://parallelsdesktop[.]pro

Figure 6 – Fake Site mimicking Parallels Desktop

• hxxps://cleanmymac[.]pro/

Figure 7 – Fake Site mimicking CleanMyMac

• hxxps://arcbrowser[.]pro/

Figure 8 – Fake Site mimicking Arc Browser

• hxxps://pixelmator[.]pics/

Figure 9 – Fake Site mimicking Pixelmator Pro

Furthermore, our examination unveiled a shared attribute among all the stealer payloads—they were utilizing the C&C server “5[.]42[.]65[.]108.” Notably, this C&C server had been previously documented in a report on Atomic Stealer by Malwarebytes. This correlation implies that these malware payloads might belong to the same campaign, or potentially, the same TA could be orchestrating their execution.

Technical Analysis

For our analysis, we have downloaded the “ArcBrowser.dmg” file from a phishing site, and its SHA256 hash is f81f1dfc07e5b84cd158ed24ec60ac43a2d2427835d4d1a21b8f8622b7b706a6.

Figure 10 – Execution of the DMG file

Upon running the file, a password prompt is presented to the user along with the message, as illustrated in the figure below, to acquire the system password.

Figure 11 – Code snippet for password prompt

System Information

Furthermore, in addition to acquiring the system password, the stealer utilizes the system_profiler, a built-in tool in macOS, to obtain extensive information regarding the configuration of the Mac computer.

• system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType

The command depicted in the following code snippet generates a comprehensive report that includes information about software, hardware, and displays and subsequently saves it to a text file.

• SPSoftwareDataType: It retrieves data such as the macOS version, system software configuration, installed applications with versions, and information about software updates.
• SPHardwareDataType: It provides details on the Mac’s model, processor type and speed, memory specifications, storage information, and other hardware components.
• SPDisplaysDataType: It captures information about connected monitors, including their models and resolutions, graphics card details, and supported display modes.

Figure 12 – Collecting system information

The stealer employs a novel encryption method to conceal strings within the file, decrypting and retrieving the actual strings dynamically at runtime.

Browser Data

After that, the stealer queries the directories of installed browsers on the victim’s system, looking for specific browser-related files to extract sensitive data as shown in the figure below, including:

• /Cookies
• /Network/Cookies
• /Login Data
• /Web Data

The malware is designed to pilfer files from a range of Chromium-based browsers, encompassing:

• Safari
• Chrome
• Brave
• Edge
• Opera
• OperaGX
• Vivaldi

Figure 13 – Code snippet of targeting Chromium browser-related data

Next, the malware uses the fivenet() function to extract Mozilla Firefox data from the profile directory, as shown in the code snippet below.

Figure 14 – Code snippet of extracting Firefox data

This includes retrieving information from specific files such as:

• /cookies.sqlite: Contains details about cookies utilized by Firefox.
• /formhistory.sqlite: Stores information about the user’s input history in web forms.
• /key4.db: A component of the Firefox profile containing cryptographic key data.
• /logins.json: This file holds login and password information for various websites.

Crypto Wallets

Subsequently, the stealer initiates the extraction of information pertaining to crypto-wallets, as demonstrated in the code snippet below. This involves querying and reading files from designated directories, with a focus on crypto wallets such as:

• Electrum
• Binance
• Exodus
• Atomic
• Coinomi

Figure 15 – Code snippet of targeting Crypto-wallet

Additionally, the stealer executes a command aimed at fetching the password linked to the label ‘Chrome’ from the macOS keychain, specifically targeting the Google Chrome application, as shown below.

Figure 16 – Keychain password extraction

File Grabber

The stealer also utilizes an AppleScript, as depicted in the figure below, serving as a file grabber that employs the Finder application to organize and copy specific files into a folder named “fg” within the user’s home directory.

Figure 17 – Applescript for File grabber function

The targeted files include Cookies.binarycookies from Safari’s Cookies folder and certain files (NoteStore.sqlite, NoteStore.sqlite-shm, NoteStore.sqlite-wal) from the Notes folder. Additionally, the script scans through files on the Desktop and Documents folder, selectively copying files with extensions such as txt, png, jpg, jpeg, wallet, keys, and key.

These file operations are subject to a cumulative size constraint of 10 megabytes. This ensures that the “fg” folder’s total file size remains below 10 megabytes. Exceeding this limit during file transfers to the C&C server may result in network bandwidth issues, server limitations, and timeouts.

Subsequently, all the gathered data is consolidated into a single directory. Following this, the malware takes snapshots of the target’s computer and stores them in the same folder.

Command-and-Control (C&C) Server

Finally, the threat actor utilizes the sentdata() function to send the logs in a ZIP archive to the Command and Control (C&C) server via port 80, employing the predefined UUID “1d67bafb-96d7-4864-aae0-e9854ff6db9b” at the following IP address, as shown in the below code snippet.

• 5[.]42[.]65[.]108 and port: 80.

Figure 18 – C&C exfiltration

Conclusion

The concerning trend of Phishing websites posing as genuine Mac applications serves as a channel for the distribution of the Atomic Stealer (AMOS). The dynamic evolution of AMOS, marked by frequent updates, underscores the TA’s motivation to be stealthier. Particularly noteworthy is AMOS’s newfound ability to revive expired Google Chrome cookies, representing a substantial transformation in the InfoStealer landscape.

The alarming aspect is the free availability of Code for cookie revival on a cybercrime forum, initially valued at $500, now susceptible to abuse by a broad spectrum of Threat Actors (TAs), particularly those with low profiles.

Our Recommendations

• Download and install software exclusively from the official Apple App Store.
• Utilize a reputable antivirus and internet security software package on your system.
• Implement strong passwords and enable multi-factor authentication whenever feasible.
• Activate biometric security features like fingerprint or facial recognition for device unlocking when available.
• Exercise caution when opening links received through emails.
• Be mindful when granting permissions to applications.
• Ensure your devices, operating systems, and applications are regularly updated.

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)

Yara Rule

rule Atomic_Stealer

{

meta:

            author = “Cyble Research and Intelligence Labs”

            description = “Detects Atomic_Stealer files”

            date = “2024-01-16”

            os = “MacOS”

            hash = “59060a3cf38453225891c7c9871d867340f95d027c910ede1f14947dda983a19”

strings:

            $a1  = “FileGrab” ascii nocase

            $a2  = “find-generic-password -ga” ascii nocase

            $a3  = “Cookies.binarycookies” ascii nocase

            $a4  = “5.42.65.” ascii nocase

            $a5  = “Binance” ascii nocase

condition:

            uint32(0) == 0xbebafeca and all of them

}

References

Source: https://cyble.com/blog/uncovering-atomic-stealer-amos-strikes-and-the-rise-of-dead-cookies-restoration/