The Atomic macOS Stealer, commonly known as AMOS, has undergone a significant and alarming transformation. Initially designed as a straightforward information stealer, the malware has now evolved into a sophisticated persistent threat, capable of maintaining long-term, covert access to infected macOS systems. This evolution marks a critical escalation in its capabilities, moving beyond simple data theft to allow attackers to execute remote commands and deploy additional malicious payloads, effectively turning a compromised machine into a remotely controlled asset.
Sophisticated Distribution and Targeting
Attackers deploy AMOS using a two-pronged strategy that combines broad-stroke and highly targeted methods. The first vector involves luring victims through websites offering cracked or counterfeit software, a common tactic to trick users into installing malware. The second, more insidious vector, consists of sophisticated spear-phishing campaigns aimed at high-value targets like cryptocurrency holders and freelance professionals. These campaigns often masquerade as legitimate job interview processes, deceiving individuals into installing trojanized DMG files by requesting system passwords under the guise of enabling screen-sharing software for the “interview.”
Global Reach and Future Threats
The impact of these campaigns is already global. Security analysts have identified that AMOS has affected users in over 120 countries, with the United States, France, Italy, the United Kingdom, and Canada bearing the brunt of the attacks. The malware operates on a malware-as-a-service (MaaS) model, meaning its developers are continuously improving it and selling access to other cybercriminals. This continuous development cycle suggests new features are always on the horizon, with reports indicating that a keylogging function to capture every keystroke is currently under development.
Technical Persistence Mechanisms
AMOS employs advanced techniques to ensure it remains on a system even after a reboot and to hide from the user. It deploys a hidden binary file named .helper in the victim’s home directory, which is launched by a wrapper script called .agent to ensure it runs continuously. To achieve persistence, the malware installs a LaunchDaemon labeled com.finder.helper. This is done using AppleScript, which leverages the user’s stolen credentials to gain the elevated privileges needed to embed itself deep within the operating system. Once active, it communicates with its command-and-control (C2) server via HTTP POST requests every 60 seconds, awaiting new commands.
Evasion and Operational Security
To avoid being discovered by security software or researchers, AMOS utilizes several evasion tactics. It uses string obfuscation to scramble the text within its code, making it difficult to analyze and understand its functions. Furthermore, the malware is designed to be aware of its environment. Before fully executing, it runs the system_profiler command to check if it is operating within a sandbox or a virtual machine—common tools used by security analysts. If it detects such an environment, it may shut down to prevent analysis, showcasing a high degree of operational security and making it a more formidable threat to macOS users worldwide.
Reference:
