![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/05\/cryptocurrency-stealer-malware-blue-600x400-1.jpg\")
<\/p>\n<\/p>\n
In May 2023<\/a> and September 2023<\/a>, and again in February 2024<\/a>, we wrote about earlier variants of the Atomic Stealer<\/strong> Mac malware family. This malware\u2014also known as Atomic macOS Stealer or AMOS<\/strong> for short\u2014is designed to exfiltrate sensitive data from infected Macs. Such data typically includes saved passwords, cookies, autofill text, and cryptocurrency wallets.<\/p>\n AMOS is distributed in the form of Trojan horses, often masquerading as supposedly pirated or “cracked” versions of apps. In recent months, AMOS Trojan horses often pretend to be the legitimate apps they mimic; they employ elaborate campaigns, leveraging malicious Google Ads that link to lookalike homepages with Trojan downloads.<\/p>\n Over the past two weeks, Intego has been tracking several new variants of Atomic Stealer. Here’s everything you need to know about them and how to stay protected.<\/p>\n In this article:<\/em><\/p>\n The latest variants of AMOS masquerade as several different apps, all distributed through DMG disk images.<\/p>\n At least two disk images, when mounted, include a single app called “AppleApp” with an icon that implies that it’s an installer.<\/p>\n One fake-installer variant launches a Trojanized version of File Juicer, an app for extracting embedded files from various document formats. The real app costs $19.<\/p>\n A second fake-installer variant launches a Trojanized version of Debit & Credit, a personal finance app that’s normally only available through the Mac App Store. The real app is a free download, but a “premium version” is available via a $19.99 in-app purchase.<\/p>\n Another disk image, when mounted, includes a single app called “WorldParallel.” With a little investigation, we discovered that this Trojan mimics a Windows-only, NFT-based digital trading card game called Parallel, which its developer describes as “a Sci-Fi world and Card Game.”<\/p>\n It isn’t surprising to see malware disguise itself as something related to non-fungible tokens (NFTs), blockchains, or cryptocurrency; fake crypto wallet apps are another common Trojan horse. We’ve even observed stealer malware that was distributed through elaborate video-game marketing campaigns<\/a>.<\/p>\n This is because a primary goal of stealer malware<\/a> is typically to attempt to exfiltrate digital wallets, which may contain valuable assets such as cryptocurrencies or rare digital artwork.<\/p>\n And last but not least, we’d be remiss if we didn’t mention that, once again, some AMOS samples mimicked the Notion productivity software.<\/p>\n We mentioned in February that AMOS had been spreading via malicious Google Ads that mimicked real Notion software ads<\/a>.<\/a><\/p>\n Although we have not definitively confirmed the original source of these infections, it’s likely that the team behind AMOS is up to its usual tricks, including Google Ads poisoning<\/a>. Threat actors often pay Google for top placement, with sponsored ads disguised as real ads for legitimate software. These ads appear immediately above the actual search results; if you aren’t careful, you could inadvertently visit a malware distribution site instead of landing on the real software developer’s site.<\/p>\n We recommend that consumers get out of the habit of “just Google it” to find legitimate sites.<\/strong> Such habits often include clicking on the first link without giving it much thought, under the assumption that Google won’t lead them astray, and will give them the correct result right at the top. Malware makers know this, of course, and that’s why they’re paying Google for the number-one position.<\/p>\n Until or unless Google does a much better job of vetting its ads, a better practice than “Google it” would be to bookmark trusted sites whenever possible<\/strong>, and to go back to those bookmarks in the future.<\/a><\/p>\n One interesting observation from Intego’s malware analysis lab is that many of the initial stage (dropper) apps contain the secondary payload embedded within them.<\/p>\n In some cases, the embedded payload was unobfuscated (i.e. plainly visible). However, in other cases, the embedded payload was Base64 encoded, in a weak attempt to hide the payload from antivirus software.<\/p>\n “Droppers” are initial-stage malware samples designed to obtain and install additional malware. Typically, droppers connect to malicious or hacked sites to obtain their next-stage payloads. Embedding payloads within the dropper itself can sometimes allow malware campaigns to succeed for a bit longer. This is because sites that host malware may be taken offline quickly, or disinfected and patched as soon as the site owner becomes aware of the infection. In the case of a newly registered malicious domain, the registrar may retake control of the domain, take it offline, and revoke the purchaser’s access.<\/a><\/p>\n If you use Intego VirusBarrier, you’re already protected from this malware. Intego detects these samples as OSX\/Amos.ext<\/strong>, virus\/OSX\/AVI.AMOS.jlei<\/strong>, virus\/OSX\/AVI.AMOS.lydw<\/strong>, virus\/OSX\/AVI.AMOS.mlhs<\/strong>, and similar names.<\/p>\n If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection<\/a>. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s current Mac operating system, macOS Sonoma.<\/p>\n One of VirusBarrier’s unique features is that it can scan for malicious files on an iPhone, iPad, or iPod touch<\/a> in user-accessible areas of the device. To get started, just attach your iOS or iPadOS device to your Mac via a USB cable and open VirusBarrier.<\/p>\n If you use a Windows PC, Intego Antivirus for Windows<\/strong><\/a> can keep your computer protected from malware.<\/a><\/p>\n As is typical, some of the Atomic Stealer samples we encountered have a very low detection rate on the multi-engine single file scanning site VirusTotal. For several samples, only 5\u20138 out of 60+ antivirus engines appear to detect them. At least three samples (two Mach-O binaries and one DMG disk image) were completely undetected when first uploaded to VirusTotal.<\/p>\n Following are SHA-256 hashes of malware samples related to these new AMOS malware campaigns:<\/p>\n The following domains have recently been used in connection with these AMOS samples:<\/p>\n Network administrators can check logs to try to identify whether any computers may have attempted to contact one of these domains recently, which could indicate a possible infection.<\/a><\/p>\n Be sure to also check out our 2024 Apple malware forecast<\/a> and our previous Mac malware articles<\/a> from 2024 and earlier.<\/p>\n You can also subscribe to our e-mail newsletter<\/strong><\/a> and keep an eye here on The Mac Security Blog<\/strong><\/a> for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Atomic Stealer (AMOS) has had brand-new, active Mac malware campaigns over the past two weeks. Intego has exclusive coverage of the latest threats, how to avoid them, and how to clean an infection from your Mac.<\/p>\n","protected":false},"author":14,"featured_media":100417,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190],"tags":[4737,4615,86,4722],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\n\t\n\t\n\t\n\n
Mimicry of File Juicer, Debit & Credit, Parallel NFT game, and Notion<\/h3>\n
Fake “File Juicer” and “Debit & Credit” app installers<\/strong><\/h4>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/05\/AtomicStealer-AMOS-AppleApp-202404-600x328-1.jpg\")
<\/p>\nFake “Parallel” NFT TCG game<\/strong><\/h4>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/05\/AtomicStealer-AMOS-WorldParallel-202404-600x300-1.jpg\")
<\/p>\nFake “Notion” app<\/strong><\/h4>\n
Source of these new AMOS infections<\/h3>\n
Malware embedded within malware<\/h3>\n
How can I keep my Mac safe from AMOS and other malware?<\/h3>\n
![\"Intego](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/06\/X9-Mac-Antivirus-Launch-300x150.png\")
Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9<\/a><\/strong>, is a powerful solution designed to protect against, detect, and eliminate Mac malware.<\/p>\nIndicators of compromise (IOCs)<\/h3>\n
8ef8fd7284843ab9e9309324a1eb9244850d9c2509ce9688dbf18f41c1370c4d\r\n1dc2465654b7c5975d759649f023836c2af44c6a2936a71aad7e4e6c04fc0de9\r\n8dd270c85f193617cd19ee268f852a8a19c90d470d1111b0ec50196087514277\r\n78b7578fd77e6b3ea104f4c9f62c35fca5598caa430846c818b9e75540e10ef4\r\n8e2d24aa70563688a80426d542883f45387cd093a2223fbd1320ecb95769fdf2\r\nc405178e388752c5723e4dacde8b328abae15a7b953b438160d3e91a4386533f\r\n6881e8b2c584e4b2fe05af6b501d5f4a6e43a7890d36b6da6b5342313cb5ce4e\r\nf747be2535bb146e1c7737dfc7c025419c92a877d7b51033eb3c48e6c08ce7cb\r\n7944a8c9445c74975f14ebeee6ae5f1f7a50b39e5d4b478c645744b661754858\r\n4d5e9d97e48a72639193b9dd4c0bcced376bde7943b87f0aea5333021c0cb073\r\n9b0795e9b965b64a8931a8f9a7ac6ebd26f5dd7d70adaea7be13b04bfe56f6d5\r\n34053a4fcddc5c3553eb9d988b32bc7bddae2ac63fdfc5b00a8270047706bd24\r\nfb34bf9a66ff444c3a83b614af1ee2c5771cf21a676155207f1eefe52b89d2f1\r\nceb7c1a06a4c938a65d97aedbe2e18ca333f71827a015a0342ba1c13734c2032\r\nd02aee0fc3c03558eaf99afd8d54424e59f7aa6c957bc49126484ad3071472dd\r\n399614070ed2a44857d153979ee1ea0e2b05731d22409dede07b39d0869bcc90\r\n1167f14f456e4bb54dc23fe858b571832fbb4e4801c883e134ba01270e6ef6b6\r\nfdaaa25cc6be47bc893f773fcd7c0d8ad6c3618bf931f4b728eb5a1d920527f5\r\n55e587ea12e590e70c500643cf2555a98edd00f90ee19aee0089998faf017b96\r\n379fc1ec90b98ac4312184fda5a810ac7114e39385901103ca07dd22bb5382f1\r\n88b5d4ec8b8ccc4d2b791317e1be6a24db98175af4c9f42d6a7cc277a0012b58\r\n8c922dead9372c87c08f2e25f96538154be922a1511bb947e631b2d4a31bba2a\r\nd1b0fc3d03b4e6cd14b430daf0361989b8a65e87c30d5ea7436b1d51864114b6<\/pre>\n
dowlosutr[.]click\r\nfarmfrnd[.]com\r\ntarafe[.]com<\/pre>\n
How can I learn more?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/04\/intego-podcast-artwork-400.jpg\")
<\/a>Each week on the Intego Mac Podcast<\/strong><\/a>, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast<\/strong><\/a> to make sure you don\u2019t miss any episodes.<\/p>\n![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/X-Twitter-logo-icon-225.gif\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/Facebook-logo-icon-225.gif\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/YouTube-logo-icon-225.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/Pinterest-logo-icon-225.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/LinkedIn-logo-icon-225.gif\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/Instagram-logo-icon-225.gif\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile.png\" "\\"Follow")
<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"