![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2023\/05\/cryptocurrency-and-cookie-stealing-malware-600x400-1.jpg\")
<\/p>\n<\/p>\n
A threat actor is offering \u201cmalware as a service\u201d that can steal sensitive data from Macs. Dubbed AtomicStealer\u2014or Atomic macOS Stealer, AMOS\u2014the framework enables cybercriminals to create custom Trojan horse malware. These Trojans attempt to exfiltrate passwords, stay-logged-in session cookies, cryptocurrency wallets, and more.<\/p>\n
Below, we’ll explain what you need to know about this new Mac threat and how to stay protected.<\/p>\n
In this article:<\/em><\/p>\n A threat actor has recently begun selling access to a new, customizable Mac data-stealing malware framework. Access to the framework is advertised via the Telegram secure messaging app<\/a>.<\/p>\n Reportedly, other cybercriminals can “lease” the malware framework at $1,000 per month. This implicitly means that the original developer may continue to update the framework to try to evade antivirus detection as part of this “malware as a service” operation.<\/p>\n So what can AtomicStealer-based malware do? We can easily observe that the malware attempts to trick users into divulging their administrator password via a fake system prompt, generated with AppleScript code.<\/p>\n AtomicStealer’s first variant attempts to trick users into giving up their admin password via a fake system dialog box.<\/p><\/div>\n If users type their password into this dialog box, it is then logged insecurely on the system\u2014in plain text.<\/p>\n According to the seller, the malware can do a number of other things, but the primary goal appears to be exfiltration of valuable digital assets.<\/p>\n The malware will supposedly try to export all passwords from the Keychain, steal saved passwords and stay-logged-in session cookies from all popular browsers, and steal cryptocurrency from more than 50 varieties of wallets.<\/p>\n After obtaining a victim’s passwords and session cookies, an attacker may be able to pivot to breaking into other accounts belonging to the victim. As we mentioned recently in our coverage of MacStealer malware<\/a>, stealing stay-logged-in cookies often allows attackers to bypass two-factor authentication.<\/a><\/p>\n Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9<\/a><\/strong>, can protect against, detect, and eliminate this Mac malware. Intego products detect components of this threat as OSX\/Downloader.go<\/strong>, or variations of virus\/OSX\/Agent<\/strong>.<\/p>\n If you believe your Mac may be infected\u2014or to prevent future infections\u2014use trusted antivirus software. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection<\/a>. It’s compatible with a variety of Mac hardware and OS versions, including the latest Apple silicon Macs running macOS Ventura.<\/p>\n Additionally, if you use a Windows PC, Intego Antivirus for Windows<\/strong><\/a> can keep your computer protected from PC malware.<\/p>\n VirusBarrier X6, X7, and X8 on older Mac OS X versions also provide protection. Note, however, that it is best to upgrade to the latest versions of macOS and VirusBarrier; this will help ensure your Mac gets all the latest security updates from Apple.<\/a><\/span><\/p>\n The first researcher to write about AtomicStealer’s initial variant noted<\/a> something interesting: evidently, the username on the developer’s computer was Boltov is a surname that is most common in Russia and Ukraine; it means “bolts” in Russian.<\/p>\n Iluha isn’t a particularly common given name, but it can be a masculine East Slavic name, a variant of Elijah. Iluha can also mean to weep or to tear up in Filipino or Tagalog. Iluh can be a Balinese name for a first-born female. Luha can be an Islamic feminine name meaning measure or amount.<\/p>\n If the developer truly did reveal their own name, it wouldn’t be the first time that a cybercriminal has made such an opsec failure. In 2019, Intego published a white paper (PDF) about Mac malware attribution<\/a> in which I wrote about several malware makers who had unintentionally exposed their real names by mistake.<\/a><\/p>\n The following SHA-256 hashes relate to AtomicStealer malware campaigns:<\/p>\n Looks like a new variant of the \u201cAtomic macOS Stealer\u201d malware dropped just in time for Cinco de Mayo. Very low detection rates on @VirusTotal<\/a>.<\/p>\n All of these new samples were uploaded in the US via VT API keys, IDs af632c50 or 97e2a062. #AtomicStealer<\/a> #AMOS<\/a> #OSX<\/a> #malware<\/a> pic.twitter.com\/WFSU1FykHW<\/a><\/p>\n — Josh Long (the\u00a0JoshMeister) (@theJoshMeister) May 6, 2023<\/a><\/p><\/blockquote>\n\n
What does OSX\/AtomicStealer Mac malware do?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2023\/05\/AtomicStealer-Mac-malware-AppleScript-fake-admin-password-prompt-dialog-box.png\")
How can one remove or prevent AtomicStealer and other Mac malware?<\/h3>\n
![\"Intego](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/06\/X9-Mac-Antivirus-Launch-300x150.png\")
<\/p>\nWho created the AtomicStealer malware framework?<\/h3>\n
iluhaboltov<\/code>. Although this does not provide definitive evidence of the malware author’s name, it’s noteworthy that the developer began using an account with the generic username administrator<\/code> for subsequent variants of AtomicStealer.<\/p>\nAtomicStealer indicators of compromise (IoCs)<\/h3>\n
0498d08c1bc471fa4c4ebd1242bfaeabd79c4e1a8133205274a6e2c08c7cb581**\r\n1062073ce5aad5bc8f05bd6b47898d5c11ace4a32cb1234e0c9c4f5aa27a6d17\r\n15f39e53a2b4fa01f2c39ad29c7fe4c2fef6f24eff6fa46b8e77add58e7ac709\r\n18d09f30c600855411488e670ef8413c3dc7f9f326b697c9815ba2a5baa55c0f\r\n20a7971970dc0e0e02859f9c51a0626455a146919b8dc9c9c8172bd18988e8df*\r\n2175cc3bc1e3bf4cc27a9524b34d47c14b9aa094061600c0c4bfee9447bd54b4\r\n262f6dc6862c0377034d50c007386860d7a3ca3da95b6ecc2dfa53057b5924fa*\r\n26b304352f45fd551195a66b7fbf493122cbc1442d6ef2aea73d75458c19bc56\r\n2b4a06a50ff151f38586f1f3ae97990efb69dba80bfd4521a50ccdeeb4cf2b5b\r\n2c63ba2b1a5131b80e567b7a1a93997a2de07ea20d0a8f5149701c67b832c097\r\n2d0dda75bfc90e7ffda72640eb32c7ff9f51c90c30f4a6d1e05df93e58848f36\r\n3a14c28ec0bd616b029efa6b1421a120869c80f088add868de93aeefd1b60cbc**\r\n3dcb157b5a16f76e60f0407f7036692d04c2dfbbf334c2b843ec77a9b2f930fe*\r\n4594513f34af968cf3fba5cd50331bbe7329ce436898eedecf53e574f6e05dcc\r\n4cc591bf6dbfe851cc8fd891d8a5f3c2723dcad14e12f81eb58c008267ab8489\r\n4d9a01b8f1efd30d39d7f6af61f2723f593436fdd667669b15d149db6eac04b0\r\n51a0b39dc222749788e6559d5068b3633366b1a03690ac16e29f1ba9ed2f87ff\r\n56cd21cb9f114e7e1709592449ab7cce2bb3a2a7c89dab72f9be88a99fc9e775\r\n6152e233795fa52b5ee2c0283636c76d6389c9dfad5413408ea26fd7aa42fa23\r\n71bcccde296cea2da9ad9ff294c672123e782abb3369d0576c3456391d4bb13e**\r\n73ec6b3ec30b5437c910d04057e721a94525dcab00c283cac5a8cef8a28b2cae*\r\n77589a321b3b876d4179cd4d287e6111b00edbfaeb50e5c2e729bf10a7ac005c\r\n7e481f05173d895c2aa50fa5625a48877af2284da53285a71cc9845674004239\r\n7fe19d8f93feafbbc23a1640534e9de2f5d6c88411bb23f622dabe5038026426*\r\n821b05cef55eca9e07697c02b837567a75c9adc2e82afb798a41b4e6c0ae2ee9\r\n82d2c1cdf97bbbb537879be0f3a50f28aa74ce353c6c4f4df736eae7751675b7\r\n972c60772190eaf6a7d4fd15a342bcb947d49e39e996ddc899ff77eb31f113aa\r\n990aaf49f24274dbecb68929683b1baa5ed1621722bed774ee8694b541b785e3\r\n9d34698409f4a140822cd2e83c0f0c109436e8028a7e15f3e4428b41a86fa168**\r\na00f4722b3922a61febd6db22c3cacfb75f3fcfe9f4e1a372e3c6d7d4ee94947\r\na2fec3172d70f7515d43959264a0ee55433ca8207b7022dc1f6430a1616d9a64\r\na4d590b7b0b5b1d7971b6f24a210afaa6024ac6b1ac13bbbb668739a230acc8f\r\na856dccf60644f8e95461f5eb1f20fd688a72ce778625d775455e73cbe2648d3\r\nae24165de234f584dc53ab941e22e9f479d02baf6cdd6f120c84f7e8ebb5aca5**\r\nc294c28ef8f07bc30c9fe1980bd83236ae52fbdcb596117aa675ebe28a7ea548\r\nc4078213cf64a68c5f0fc77d65e16d989d817c09814a01f73e37099c4ed6e0a7**\r\nc65a90e559db80612209717337a86bd072beb0125af126772873a4a6da50bf96\r\nc76f71a617937866b5ccef9f10658cabc81c400f50971e04455c07a8d08da5b6**\r\nd9e46d316a975ec70827916976988fcff582e42f3927e0e158a9cd89c15a0b6e*\r\ne06a094d0bec6020536cdb92f0bd2171e48ca36b3f34b8ffd6da7f52f78436ec\r\ne2a756710241d90fd5d2c3fb33bf787014e1f5b4b6b516b6afd8fcb7cbd0ccbf\r\ne3d703fee5b08f5c869f34d79d08b8b9438b261a737c8b1275655f403b0b39e2\r\ne6b6cf40d605fc7a5e8ba168a8a5d8699b0879e965d2b803e29b87926cba861f\r\nea2235ea26951276cf724430774e1817295e53e64c55ababac38ec5443f066f6**\r\nf8cd5ff37ef71afe16b4499d9e0f7b92a7759e3cacb0fbbdc78bec39842c99a1\r\nff23a27fd326d428e931a42fa08d9e0c17f16c9cd7a1afbaba16ab4ae80a6656**\r\nff4ce9dfe2ced97df1deeeda3e2450e958bd4bcad3778bad2bed080619014f46\r\n* First reported by Intego\r\n**First reported by Intego; added 8 May 2023<\/pre>\n
\n