{"id":25194,"date":"2024-09-12T11:21:43","date_gmt":"2024-09-12T19:21:43","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/09\/12\/news-18924\/"},"modified":"2024-09-12T11:21:43","modified_gmt":"2024-09-12T19:21:43","slug":"news-18924","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/09\/12\/news-18924\/","title":{"rendered":"Atomic macOS Stealer leads sensitive data theft on macOS"},"content":{"rendered":"

Credit to Author: Jagadeesh Chandraiah| Date: Fri, 06 Sep 2024 11:04:28 +0000<\/strong><\/p>\n

\n

There was historically a tendency to believe that macOS was less susceptible to malware than Windows, possibly because the operating system has less market share<\/a> than Windows, and a native suite of security features<\/a> that require malware developers to adopt different approaches. The belief was that, if it was susceptible at all, it was to odd, unconventional attacks and malware. But, over time, that\u2019s changed. Mainstream malware is now beginning to hit macOS regularly (albeit not to the same extent as Windows), and infostealers<\/a> are a prime example of this. In our telemetry, stealers account for over 50% of all macOS detections in the last six months, and Atomic macOS Stealer (AMOS) is one of the most common families we see.<\/p>\n

AMOS, first reported by Cyble in April 2023<\/a>, is designed to steal sensitive data \u2013 including cookies, passwords, autofill data, and the contents of cryptocurrency wallets \u2013 from infected machines, and send them back to a threat actor. At that point, a threat actor may use the stolen information themselves \u2013 or, more likely, sell it to other threat actors on criminal marketplaces.<\/p>\n

The market for this stolen data \u2013 known as \u2018logs\u2019 in the cybercrime underground \u2013 is large and very active<\/a>, and the price of AMOS has tripled in the past year \u2013 which speaks both to the desire to target macOS users and the value of doing so to criminals.<\/p>\n

While AMOS is not the only player in town \u2013 rivals include MetaStealer<\/a>, KeySteal, and CherryPie<\/a> \u2013 it is one of the most prominent, so we\u2019ve put together a brief guide on what AMOS is and how it works, to help defenders get a handle on this increasingly prevalent malware.<\/p>\n

Distribution<\/h1>\n

AMOS is advertised and sold on public Telegram channels<\/a>. Back in May 2023, it was available for $1000 a month (a \u2018lifetime\u2019 licence, price undisclosed, was also available), but we can report that as of May 2024, the cost appears to have increased to $3000 a month. As shown in the screenshot below, the AMOS advert includes a sizeable list of targeted browsers (with the ability to steal cookies, passwords, and autofill information); cryptocurrency wallets, and sensitive system information (including the Apple keychain and the macOS password).. As shown in the screenshot below, the AMOS advert includes a sizeable list of targeted browsers (with the ability to steal cookies, passwords, and autofill information); cryptocurrency wallets, and sensitive system information (including the Apple keychain and the macOS password).<\/p>\n

\"A<\/a><\/p>\n

Figure 1: An advert for AMOS on a Telegram channel. Note the price of $3000 at the bottom of the screenshot<\/em><\/p>\n

Initial infection vectors<\/h1>\n

From what we\u2019ve observed in our telemetry, and from what other researchers have discovered<\/a>, many threat actors are infecting targets with AMOS via malvertising<\/a> (a technique whereby threat actors abuse valid online advertisement frameworks to direct users towards malicious sites containing malware) or \u2018SEO poisoning\u2019 (leveraging search engine ranking algorithms to get malicious sites to the top of search engine results). When unsuspecting users search for the name of a particular software or utility, the threat actor\u2019s site appears prominently in the results \u2013 and will offer a download, which typically imitates the legitimate application but secretly installs malware on the user\u2019s machine.<\/p>\n

Some of the legitimate applications we\u2019ve seen AMOS imitate in this manner include: Notion<\/a>, a productivity app; Trello<\/a>, a project management tool; the Arc browser<\/a>; Slack<\/a>; and Todoist<\/a>, a to-do-list application.<\/p>\n

\"A<\/a><\/p>\n

Figure 2: A malicious domain imitating the legitimate Slack domain, in order to trick users into downloading an infostealer<\/em><\/p>\n

However, AMOS\u2019s malvertising also extends to social media. For instance, we observed a malvertising campaign on X.com, leading to a fake installer for \u2018Clean My Mac X\u2019 (a legitimate macOS application) hosted on a lookalike domain of macpaw[.]us, which deceptively mimics the real website<\/a> for this product.<\/p>\n

\"A<\/a><\/p>\n

Figure 3: A malvertising campaign on X.com<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 4: A domain hosting AMOS<\/a> (obtained from urlscan<\/a>). Note that the malvertisers have created a page that closely resembles the iTunes Store. Sophos and other vendors have classified this domain as malicious<\/em><\/p>\n

After investigating a customer incident involving AMOS, we also noted that threat actors have hosted AMOS binaries on GitHub, possibly as part of a malvertising-like campaign.<\/p>\n

\"A<\/a><\/p>\n

Figure 5: AMOS hosted on a GitHub repository (now taken down)<\/em><\/p>\n

We also discovered several open directories that hosted AMOS malware. Some of these domains were also distributing Windows malware (the Rhadamanthys infostealer<\/a>).<\/p>\n

\"A<\/a><\/p>\n

Figure 6: A domain hosting various malicious samples disguised as legitimate applications<\/em><\/p>\n

Command and control<\/h1>\n

AMOS C2 panels are protected with credentials. As shown in the screenshots below, the panels provide a simple visualization of campaigns and stolen data for the benefit of the threat actors.<\/p>\n

\"A<\/a><\/p>\n

Figure 7: Active AMOS C2 login panel (obtained from urlscan<\/a>)<\/em><\/p>\n

\"An<\/a><\/p>\n

Figure 8: AMOS panel template for accessing stolen data (obtained from urlscan<\/a>)<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 9: AMOS logs displaying different data (this image was taken from AMOS marketing material; the threat actor has redacted some information themselves)<\/em><\/p>\n

Evolving capabilities<\/h1>\n

As we mentioned earlier, AMOS was first reported on in April 2023. Since then, the malware has evolved to evade detection and complicate analysis. For instance, the malware\u2019s function names and strings are now obfuscated.<\/p>\n

\"Side-by-side<\/a><\/p>\n

Figure 10: Screenshots of AMOS\u2019s code, showing a previous version (left) and an obfuscated version (right). Note that the function names are readable in the left-hand version, but have been obfuscated in the newer version on the right<\/em><\/p>\n

We\u2019ve also observed recent AMOS variants using a Python dropper (other researchers have also reported on this<\/a>), and the malware developers have shifted some key data \u2013 including strings and functions \u2013 to this dropper, rather than the main Mach-O binary, likely to avoid detection.<\/p>\n

\"A<\/a><\/p>\n

Figure 11: Strings and functions in the Python dropper<\/em><\/p>\n

\"Screenshot<\/a><\/p>\n

Figure 12: An excerpt from a Python sample, which invokes AppleScript for the \u201cfilegrabber()\u201d function<\/a>. This function was included in the binary in earlier variants, but here the threat actor has reimplemented the entire function in Python<\/em><\/p>\n

Possible future developments<\/h1>\n

AMOS distributors recently put out an advertisement in which they claimed a new version of the malware would target iPhone users. However, we have not seen any samples in the wild to date, and cannot confirm that an iOS version of AMOS is available for sale at the time of writing.<\/p>\n

\"A<\/a><\/p>\n

Figure 13: A post on the AMOS Telegram channel regarding iOS targeting. The Russian text reads (trans.): \u201cWell, the iPhone is opened. We are expecting a new product for iOS to reach the masses. Tests showed success. The price will be appropriate.\u201d<\/em><\/p>\n

A possible driving force behind this announcement is the EU\u2019s Digital Markets Act (DMA), under which Apple is obliged to make alternative app marketplaces available to EU-based iPhone users<\/a> from iOS 17.4 onwards. Developers will also be allowed to distribute apps directly from their website<\/a> \u2013 which potentially means that threat actors looking to distribute an iOS version of AMOS could adopt the same malvertising techniques they\u2019re currently using to target macOS users.<\/p>\n

Protection and prevention<\/h1>\n

As we\u2019ve seen from our telemetry over the past year, threat actors are increasingly focusing on macOS, particularly in the form of infostealers, and the rise of AMOS prices suggests that they could be having some success. With that in mind, as with any device, users should only install software from legitimate sources with good reputations, and be extremely wary of any pop-ups requesting either passwords or elevated privileges.<\/p>\n

All the stealers we have seen to date are distributed outside the official Mac store and are not cryptographically verified by Apple \u2013 hence the use of social engineering we discussed previously. They also request information like password and unwanted data access, which should ring alarm bells for users, particularly when it\u2019s a third-party application asking for those permissions (although note that in macOS 15 (Sequoia), due to be released in fall 2024, it will be more difficult to override Gatekeeper \u201cwhen opening software that isn\u2019t signed correctly or notarized.\u201d<\/a> Instead of being able to Control-click, users will have to make a change in the system settings for each app they want to open.<\/p>\n

\"A<\/a><\/p>\n

Figure 14: An example of macOS malware asking for a password, which should be a big red flag for users. Note also the request to right-click and open<\/em><\/p>\n

By default, browsers tend to store both encrypted autofill data and the encryption key in a fixed location, so infostealers running on infected systems can exfiltrate both from disk. Having encryption based on a master password or biometrics would help to protect from this type of attack.<\/p>\n

If you have encountered any macOS software which you think is suspicious, please report it to Sophos<\/a>.<\/p>\n

Sophos protects against these stealers with protection names beginning with OSX\/InfoStl-* and OSX\/PWS-*. IOCs relating to these stealers are available on our GitHub repository<\/a>.<\/p>\n

Acknowledgments<\/h1>\n

Sophos X-Ops would like to thank Colin Cowie of Sophos\u2019 Managed Detection and Response (MDR) team for his contribution to this article.<\/p>\n<\/p><\/div>\n

http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Jagadeesh Chandraiah| Date: Fri, 06 Sep 2024 11:04:28 +0000<\/strong><\/p>\n

Sophos X-Ops explores the distribution and capabilities of the Atomic macOS Stealer (AMOS)<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[30076,30077,19881,10403,27030,16771],"class_list":["post-25194","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-amos","tag-atomic-stealer","tag-infostealer","tag-macos","tag-sophos-x-ops","tag-threat-research"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25194","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=25194"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25194\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=25194"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=25194"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=25194"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}