A new version of the Atomic macOS info-stealer, also known as AMOS, now comes with an embedded backdoor. For the first time, this Russia-affiliated stealer is being deployed with a backdoor for persistent access. This new component allows attackers to execute arbitrary remote commands and maintain long-term control over infected hosts. This represents the most significant evolution of AMOS since its emergence, making it a much more dangerous threat. The AMOS malware campaigns have already reached over 120 countries, including the United States, France, and Canada.
The upgraded AMOS malware employs two primary distribution methods to infect the systems of its many targets.
The first method involves websites offering cracked or counterfeit software, which trick users into downloading the malicious payload. The second method uses sophisticated spear-phishing campaigns that are aimed at high-value individuals, like cryptocurrency holders. These spear-phishing attacks often masquerade as staged job interviews, typically targeting freelance artists and other independent contractors.
Victims are asked to provide their system passwords under the guise of enabling screen sharing for these interviews.
The malware establishes persistence through a very complex chain of different components that work together on the system. This includes a trojanized DMG file, bash wrapper scripts, and also Terminal aliases designed to bypass macOS protections. The core backdoor executable is a binary named ‘.helper,’ which is downloaded and saved in the victim’s home directory. A persistent wrapper script named ‘.agent’ runs this hidden ‘.helper’ file in a continuous loop as the user. A LaunchDaemon is then installed via AppleScript to ensure that the ‘.agent’ script executes at every system startup.
To evade detection by security software, the backdoor first checks for sandbox or virtual machine environments. It also features advanced string obfuscation to hide its malicious code and activities from security researchers. The backdoor maintains communication with its command-and-control servers, sending requests every sixty seconds to receive new tasks. The evolution of AMOS from a simple data stealer to a persistent backdoor significantly increases the risk to victims. It transforms what were once one-time breaches into dangerous long-term compromises that are harder to fully remediate.
Reference:
