Mac users targeted in new malvertising campaign delivering Atomic Stealer

MacBook Air (2022, M2)
(Image credit: Future / Lance Ulanoff)

Mac users are once again being targeted by threat actors looking to steal their data, security experts have warned.

Security researchers from Malwarebytes have uncovered a new campaign that sees unnamed actors distributing an updated version of the popular Atomic Stealer malware.

Atomic Stealer, or AMOS, is an infostealer created earlier this year, and initially advertised as a macOS-oriented malware focused on cryptocurrencies, stored passwords, and sensitive files. It has since evolved to grab more information and target more operating systems.

Staying vigilant

In this particular instance, threat actors were distributing it either through fake software cracks, loaders, and key generators or by impersonating popular software manufacturers and tech companies. Malwarebytes has seen hackers create malicious ads on Google (paid for, most likely, with compromised accounts), used to promote landing pages that impersonate major tech brands. Victims who visit those websites could mistake them for legitimate ones, and end up downloading the malware.

The downloaded file would come with instructions on how to open it to bypass GateKeeper, Apple’s built-in security feature. Furthermore, the malware is bundled in an ad-hoc signed app, the researchers explain, which means it’s not an Apple certificate and therefore cannot be revoked.

As soon as the victims run the program, it will steal the data and immediately send it to the attackers’ C2 servers. Atomic Stealer goes for passwords, autofills, user information, wallets, browser cookies, and keychain data. 

“While Mac malware really does exist, it tends to be less detected than its Windows counterpart,” the researchers said in their technical write-up. “The developer or seller for AMOS actually made it a selling point that their toolkit is capable of evading detection.”

Malwarebytes recommends users double-check any program’s origins before running it on an endpoint. Furthermore, analyzing the website from which the program was downloaded is also recommended, as the address could be typosquatted, and the site’s content itself might give the scam away. 

“With stealers such as AMOS, it's also important to run an antivirus that has real-time protection so that it blocks the malware before valuable data gets stolen,” the researchers concluded.

More security news from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

TOPICS