New Variant of AMOS Stealer Targets Safari Cookies and Crypto Wallets
The new Atomic variant uses Python and Apple Script code to target browser and system files, obtain user account passwords, and identify sandbox or emulator execution.
Bitdefender researchers have discovered a new variant of the AMOS Stealer (or Atomic Stealer), one of the most prevalent threats for macOS users in the last year. According to Bitdefender, the new variant was discovered while revisiting old or new malware samples to improve detection capabilities for macOS cyber-security products.
When researchers isolated several suspicious macOS disk image files, which were surprisingly small for their size (1.3 MB), they became suspicious of the emergence of a new variant of the AMOS Stealer.
The new variant combines functionalities of numerous malware families, including information stealers, keyloggers, and cryptocurrency mining tools, allowing it to steal sensitive data while its advanced stealth makes it harder for users to identify/remove the infection.
Further probing revealed that this variant shares similarities with the second variant of RustDoor. “Both seem to focus on collecting sensitive files from the victim’s computer, with the current one being a more developed version of the script used by RustDoor,” researchers noted.
However, the new variant has additional features. It collects the Cookies.binarycookies file, which stores Safari browser cookies, obtains files with targeted extensions from specific locations and uses the system_profiler utility to gather information about the compromised computer.
The attackers aim to obtain hardware-related details, operating system versions and connected displays and graphic cards. They add sensitive information to the archive, including passwords, encryption keys, and certificates, indicating their growing interest in cryptocurrency platforms.
This version has an unusual technique of combining Python with Apple Scripting where the filegrabber() function executes a large block of Apple script using the osascript -e command. DMG files contain FAT binary and Mach-O files for Intel and ARM architectures, used by threat actors to steal data.
When opened, as noted by researchers in a blog post, the Crack Installer application prompts the user to open the file. The Python script collects sensitive data from multiple sources, including crypto-wallet extensions, browser data, and user account passwords.
The Chromium () function collects files from targeted Chromium-based browsers, including web data, login data, and cookies. It also targets cryptocurrency browser extensions and Mach-O binaries. The parseFF() function targets Firefox and collects files associated with all profiles.
Moreover, the script targets installed crypto wallets like Electrum, Coinomi, Exodus or Atomic. The collected data is stored in a ZIP archive, which is sent to a C2 server using a POST request. The archive structure is confirmed by the C2 server.
The variant is largely undetected at the moment. Bitdefender has released Indicators of Compromise to help organizations and practitioners detect and mitigate this threat.