Bitdefender researchers have identified a new variant of the AMOS Stealer, dubbed Atomic, targeting macOS users. This sophisticated malware combines Python and Apple Scripting to extract sensitive data, particularly Safari cookies and crypto wallets, posing a significant threat to user security. Despite its small size, the variant’s multifunctional capabilities enable it to collect a wide range of data, including passwords, encryption keys, and certificates.
The emergence of this new variant highlights the evolving tactics of cybercriminals in targeting macOS systems, with a focus on stealing sensitive information related to cryptocurrency platforms. Researchers note that the Atomic variant shares similarities with the RustDoor malware, indicating a potential evolution of existing threats. However, the Atomic variant introduces additional features, such as targeting specific file extensions and using the system_profiler utility to gather system information.
One notable aspect of the Atomic variant is its use of a combination of Python and Apple Scripting, enabling stealthy execution and data exfiltration. The malware collects data from various sources, including browser cookies, crypto wallet extensions, and user account passwords, storing the information in a ZIP archive for transmission to a command-and-control server. With the variant largely undetected, Bitdefender has released Indicators of Compromise to assist organizations in detecting and mitigating this evolving threat to macOS users.
