In recent years, there has been a shift in the perception of macOS being less susceptible to malware compared to Windows. This belief stemmed from macOS having a lower market share and a set of native security features that presented challenges for malware developers. However, the landscape has evolved, with mainstream malware now targeting macOS more frequently, although not to the same extent as Windows. Infostealers, such as the Atomic macOS Stealer (AMOS), have become prevalent, constituting over 50% of all macOS detections in the last six months.
AMOS, first identified by Cyble in April 2023, is designed to extract sensitive data like cookies, passwords, and cryptocurrency wallet information from infected systems. This data is then sent to threat actors who can either use it or sell it on the dark web. The demand for this stolen data, referred to as ‘logs’ in the cybercrime underground, is high, as indicated by the tripling of AMOS’s price in the past year.
While AMOS is a prominent player in the macOS malware space, it is not alone. Competing infostealers like MetaStealer, KeySteal, and CherryPie also pose significant threats. To help defenders understand and combat AMOS, a guide detailing its workings and features has been compiled.
The distribution of AMOS occurs through various channels, including public Telegram channels where the malware is advertised and sold. The price for AMOS has seen a substantial increase over time, reflecting the value criminals place on targeting macOS users. Malvertising and SEO poisoning are common techniques used to lure unsuspecting users into downloading malware disguised as legitimate software applications like Notion, Trello, and Slack.
Moreover, AMOS has evolved to evade detection and analysis. Recent variants employ obfuscation techniques, such as obscuring function names and strings in the code. Some variants even use a Python dropper to conceal crucial data, making it harder for security researchers to analyze the malware.
The creators of AMOS have hinted at a potential iOS version targeting iPhone users, although no concrete evidence of such a version in the wild has been found. With the EU’s Digital Markets Act requiring Apple to provide alternative app marketplaces for iPhone users, threat actors could leverage malvertising tactics to distribute an iOS variant of AMOS in the future.
Considering the increasing focus on macOS by threat actors, users are advised to be cautious when installing software from unverified sources and to be wary of pop-ups requesting sensitive information. As malware targeting macOS becomes more sophisticated, implementing robust security measures and staying vigilant are essential to protect against potential threats.
If users encounter suspicious macOS software, they are encouraged to report it to security providers like Sophos. Sophos provides protection against infostealers like AMOS and offers IOCs for detection and mitigation. Collaboration with security experts, such as Sophos’ Managed Detection and Response team, is crucial in combating evolving macOS threats effectively.