Atomic macOS Info stealer Malware Targets Crypto Wallets

A new macOS malware, Atomic (AMOS), is actively targeting crypto wallets, serving as an info stealing malware. The malware is being sold on Telegram channels, and despite being under active development, it already targets over 50 cryptocurrency extensions.

Atomic macOS Infostealer Malware Actively Targets Crypto Wallets

Atomic macOS Malware Running Active Campaigns Against Crypto Wallets

Researchers from Cyble have identified a new info stealing malware targeting macOS devices. Identified as Atomic macOS Stealer (AMOS), the malware infects macOS systems aiming to steal crypto wallets.

As elaborated in their post, the threat actors behind AMOS are selling the malware via Telegram channels, luring potential clients by highlighting its malicious capabilities.

Specifically, AMOS is a potent data-stealing malware that primarily facilitates the attacker in stealing information from Mac users.

The most notable functionality of this malware is its capability to steal cryptocurrency data from wallets. It includes over 50 cryptocurrency extensions on its target list, including Exodus, Coinbase, TronLink, Trezor, and Metamask, and numerous desktop wallets such as Electrum, Binance, Exodus, and Coinomi and Atomic.

Besides, it also steals stored data from web browsers, such as passwords, auto-fill information, browsing history, and cookies. Moreover, it also pilfers data directly from the system, such as systems details, Apple Keychain passwords, files from folders, and desktop data.

The AMOS threat actors not only sell the malware randomly but also offer a complete suite for their clients to manage their malicious campaigns. Their package includes a web panel for target system management, a brute-forcer (MetaMask) for identifying seed or private keys, cryptochecker, a DMG installer, and detailed logs in Telegram.

While the malware boasts some advanced data-stealing functionalities, it still has a limitation that may alarm savvy Mac users. Upon infecting the device, it attempts to access the system’s “Desktop” and “Documents” files. However, it generates a prompt asking access permissions from the victim user, which may alert the user. Alongside Cyble, a Trellix researcher has also shared a detailed analysis of this malware in a Twitter thread.

Attribution link