{"id":99900,"date":"2024-02-29T03:32:33","date_gmt":"2024-02-29T11:32:33","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=99900"},"modified":"2024-08-08T18:54:08","modified_gmt":"2024-08-09T01:54:08","slug":"atomic-stealer-amos-mac-malware-spreads-via-malicious-google-ads","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/atomic-stealer-amos-mac-malware-spreads-via-malicious-google-ads\/","title":{"rendered":"Atomic Stealer (AMOS) Mac malware spreads via malicious Google Ads"},"content":{"rendered":"

\"\"<\/p>\n

In May<\/a> and September<\/a> 2023, we wrote about earlier variants of Atomic Stealer<\/strong>. This malware\u2014also known as Atomic macOS Stealer or AMOS for short\u2014is designed to exfiltrate sensitive data from infected Macs. It is distributed in the form of Trojan horses, such as pirated or “cracked” versions of apps.<\/p>\n

This week, reports have emerged of two different new variants of Atomic Stealer. Here’s everything you need to know about them and how to stay protected.<\/p>\n

Atomic Stealer distributed through malicious Google Ads<\/h3>\n

One of the new Atomic Stealer variants, described<\/a> by J\u00e9r\u00f4me Segura, has been confirmed to be distributed in the wild via Google Ads poisoning. A threat actor paid Google for top placement, with sponsored ads that mimicked the real ads of the Notion productivity software. These ads appeared immediately above the actual search results; if you weren’t careful, you could have inadvertently visited a malware distribution site instead of landing on the real software developer’s site.<\/p>\n

If a victim clicked on a link in the malicious ad, they would be redirected to a fake Notion homepage which would offer Mac or Windows malware disguised as Notion software. The Windows malware was a stealer called Rhadamanthys, and the Mac malware was a new Atomic Stealer variant.<\/p>\n

\"\"

An OSX\/AtomicStealer Trojan horse, masquerading as Notion productivity software.<\/p><\/div>\n

Notably, this Atomic Stealer variant has very low detection on the multi-engine single file scanning site VirusTotal; only 6 out of 60 engines detect it, while other variants (like the ones described below) typically have at least 20 detections.<\/p>\n

A second variant disguised as a “Crack Installer”<\/h3>\n

Another variant, described<\/a> by Andrei Lapusneanu, disguises itself as an unspecified “Crack Installer.” If a victim follows the directions from the disk image, and does a “right click” and clicks Open, a Mach-O app runs. Like with the first variant, this app is a dropper, meaning it will attempt to download and execute a further stage of the malware.<\/p>\n

\"\"

Another OSX\/AtomicStealer Trojan, disguised as a “Crack Installer”<\/p><\/div>\n

The next stage is a Python script that does all the usual things one expects stealer malware to do; it attempts to gather and exfiltrate browser data such as saved passwords, cookies, autofill text, and cryptocurrency wallets. It uses AppleScript code similar to that used in RustDoor malware<\/a> seen earlier in February. This Atomic Stealer variant attempts to send the stolen data to an IP address that has previously been linked to Windows malware called Amadey.<\/a><\/p>\n

How can I keep my Mac safe from malware?<\/h3>\n

If you use Intego VirusBarrier, you’re protected from this malware. Intego detects these samples as OSX\/Stealer.ext<\/strong>, virus\/OSX\/Agent.mysf<\/strong>, virus\/OSX\/AVA.Agent.amos<\/strong>, virus\/OSX\/AVF.Agent.tfcg<\/strong>, virus\/OSX\/AVI.Agent.dkaa<\/strong>, and similar names.<\/p>\n

\"IntegoIntego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9<\/a><\/strong>, is a powerful solution designed to protect against, detect, and eliminate Mac malware.<\/p>\n

If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection<\/a>. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s current Mac operating system, macOS Sonoma.<\/p>\n

If you use a Windows PC, Intego Antivirus for Windows<\/strong><\/a> can keep your computer protected from malware.<\/a><\/p>\n

How can I learn more?<\/h3>\n

For additional technical details and indicators of compromise (IOCs) for these Atomic Stealer variants, you can read J\u00e9r\u00f4me Segura’s write-up<\/a> and social media post<\/a>, and Andrei Lapusneanu’s write-up<\/a>.<\/p>\n

We discussed the resurgence of Atomic Stealer\u2014as well as Google’s concerning ineptitude at preventing overt copycat ads that link to malware sites\u2014on episode 333<\/a> of the Intego Mac Podcast.<\/p>\n