"Atomic macOS Stealer Malware Delivered via Malvertising Campaign"

According to security researchers at Malwarebytes, a piece of malware named Atomic macOS Stealer, or AMOS, has been delivered by cyber criminals through a malvertising campaign.  AMOS emerged in the spring when its creators started advertising it for $1,000 per month, promising a wide range of data theft capabilities.  Its authors claimed the malware could steal keychain passwords, browser data, cryptocurrency wallets, and files from the compromised device.  The researchers noted that AMOS is mostly distributed through cracked software downloads, but the company recently observed it being delivered through a malvertising campaign.  The researchers stated that cybercriminals set up a fake website for the TradingView financial market tracking app and advertised the site on Google using a hacked advertiser account apparently belonging to an entity in Belarus.  The malicious website is designed to look authentic, claiming to offer downloads for the TradingView app’s Windows, macOS, and Linux versions.  The researchers noted that while the Windows and Linux files deliver the NetSupport RAT, the Mac file delivers the AMOS malware.  Once executed, the macOS malware provides instructions for opening it without getting blocked by Apple’s GateKeeper security feature.  The researchers stated that the malware is bundled in an ad-hoc signed app, meaning it’s not an Apple certificate, so it cannot be revoked.  Once executed, it will keep prompting for the user password in a never ending loop until victims finally relent and type it in.  The researchers noted that logs show that the malware attempts to collect and exfiltrate passwords, autofill data, wallets, cookies, and keychain data.  The researchers stated that targeting TradingView makes sense since users who are looking for the market tracking application are more likely to use software that provides access to money or cryptocurrencies.

 

SecurityWeek reports: "Atomic macOS Stealer Malware Delivered via Malvertising Campaign"

Submitted by Anonymous on