A new malvertising campaign is causing concerns for Mac users as it spreads an updated version of the macOS stealer malware known as Atomic Stealer, or AMOS. This indicates that the malware is actively maintained by its author.
Atomic Stealer, initially discovered in April 2023, is available as an off-the-shelf Golang malware for $1,000 per month. Recent variants of this malware have been observed in the wild, particularly targeting gamers and cryptocurrency users.
Furthermore, the primary distribution vector for this campaign is malvertising via Google Ads. Users searching for popular software, whether legitimate or cracked, are led to websites hosting rogue installers through bogus ads on search engines. The campaign employs a fraudulent website for TradingView, offering downloads for Windows, macOS, and Linux.
While the Windows and Linux buttons lead to an MSIX installer hosted on Discord that drops the NetSupport RAT, the macOS payload (“TradingView.dmg”) is an updated version of Atomic Stealer that tricks users into entering their passwords, enabling the theft of files and data from iCloud Keychain and web browsers.
Atomic Stealer is also known to target both Chrome and Firefox browsers, with a hardcoded list of crypto-related browser extensions for attack purposes. The attacker’s ultimate goal is to bypass macOS Gatekeeper protections and exfiltrate stolen information to a server under their control.
This campaign highlights the growing interest in targeting macOS, as it becomes a more viable platform for malware attacks, with several macOS-specific info stealers appearing for sale in underground forums. Users are advised to remain cautious and vigilant against evolving threats like AMOS.