This post is also available in:
עברית (Hebrew)
A new wave of malware is reshaping the security landscape for macOS users, with the emergence of a new major threat – the Atomic MacOS Stealer (AMOS). This highly popular malware was debuted in April 2023, and ever since then has become common among hackers for stealing sensitive information.
Recent threat research by Sophos X-Ops highlights an uprise in malware targeting macOS systems. AMOS is at the forefront of this shift, accounting for over 50% of all macOS infostealer incidents in the past six months. Historically, macOS was considered less vulnerable to malware compared to Windows, partly due to its smaller market share and built-in security features. However, this perception is changing.
AMOS is designed to extract a wide range of sensitive data, including cookies, passwords, autofill information, and cryptocurrency wallet contents. Once a machine is compromised, the stolen data is sent to a threat actor who typically sells it to other criminals specializing in data exploitation. The growing market for stolen data, known as “logs,” has significantly increased AMOS’s value, with the malware’s price tripling over the past year.
Hackers tout AMOS’s ability to collect data from various sources, including Notes, Keychain, and SystemInfo, as well as to target popular browsers and extract autofill data, cookies, and passwords. It can also target several cryptocurrency wallets and plugins, such as Electrum, Binance, Exodus, Atomic, and Coinomi. The malware is designed to launch with its console hidden, making detection more challenging.
Locating victims and deploying AMOS is facilitated by cybercriminals moving from traditional phishing methods to more sophisticated tactics like search result poisoning with malvertising and SEO optimization. Malicious websites now often appear at the top of search results. Examples of legitimate applications that AMOS imitates include Notion, Trello, Arc browser, Slack, and Todoist. Malicious ads also target social media, with fake installers for legitimate applications like “Clean My Mac X” being a prime example.
Sophos X-Ops warns that the creators of AMOS are now eyeing iOS, with claims of successful tests for an iOS version. The recent requirement by the EU for Apple to open its platform to alternative app marketplaces, might encourage malware developers to distribute iOS versions of AMOS through malicious sites, similar to their current methods for macOS.
Currently all instances of macOS stealers not have been distributed via the official Apple Store. Therefore, threat actors rely heavily on social engineering to persuade users to download and interact with the malware. Sophos X-Ops recommends installing only trusted software from legitimate sources and being cautious of any pop-ups requesting passwords or permissions.
