Full Report
Here at Bitdefender, we're constantly working on improving detection capabilities for our macOS cyber-security products; part of this effort involves revisiting old (or digging up new) samples from our malware zoo. During routine verifications, we were able to isolate multiple suspicious and undetected macOS disk image files surprisingly small for files of this kind (1.3 MB per file). A short look into the code revealed that these files are significantly similar to other samples analysed in the
Analysis Summary
# Tool/Technique: AMOS (Atomic) Stealer (New Variant)
## Overview
This is a newly identified variant of the AMOS (Atomic) Stealer, a prevalent macOS malware family first documented in early 2023. This variant uses a small disk image (DMG) containing FAT binaries (Mach-O files for Intel and ARM architectures) that act as droppers. The dropper executes a Python script responsible for data theft and exfiltration. The malware targets browser data, specific file types, local user passwords, and system information.
## Technical Details
- Type: Malware family (Infostealer)
- Platform: macOS
- Capabilities: Exploits social engineering (right-click open), drops and executes a Python script, steals system/browser credentials and files, attempts anti-sandbox checks, communicates via HTTP POST.
- First Seen: New variant emergence, family first documented early 2023.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Delivered via DMG)
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.006 - Python
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (XOR-encoded Python script)
- T1497 - Virtualization/Sandbox Evasion (Attempting to identify emulators/sandboxes)
- TA0009 - Collection
- T1005 - Data from Local System (Grabs specific files like Keychains, browser data)
- T1020 - Automated Collection (Gathers system information)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Dropper Mechanism:** The DMG mounts and contains a `Crack Installer` application. Opening it bypasses standard macOS security by requiring the user to right-click and open, forcing execution of an embedded Mach-O binary.
- **Payload Delivery:** The Mach-O binary drops and executes a XOR-encoded Python script from `/var/tmp/olx`.
- **Password Theft:** Displays a fake OS dialog masquerading as a system update to trick the user into entering their local account password, which is saved to a file named `psw`.
- **Data Collection:** Gathers browser data (passwords, cookies, login data), targeted files from Desktop/Documents, system information, and the local user's keychain (`login.keychain-db`).
- **C2 Communication:** Exfiltrates collected data via HTTP POST request to a hardcoded C2 endpoint using the `/p2p` path.
### Advanced Features
- **Hybrid Scripting:** Unusually combines Python scripting with embedded Apple Scripting commands executed via `osascript -e` for granular file collection (e.g., Safari cookies).
- **System Profiling:** Uses the `system_profiler` utility with arguments like `SPSoftwareDataType`, `SPHardwareDataType`, and `SPDisplaysDataType` potentially for anti-emulation checks.
- **Code Similarity:** Shares significant code similarity with the RustDoor backdoor, particularly in the Apple Script collection segment.
- **Code Obfuscation:** The initial Python script content is XOR-encrypted within the `__const` section of the Mach-O binary.
## Indicators of Compromise
- File Hashes (DMG files):
- `0caf5b5cc825e724c912ea2a32eceb59`, `f0dc72530fa06b278b7da797e5fcb3a1`, `6c402df53630f7a41f9ceaafdca63173`, `e5c059cc26cc430d3294694635e06aef`, `b1e0274963801a8c27ef5d6b17fe4255`, `8672d682b0a8963704761c2cc54f7acc`, `11183a3f8a624dbf66393f449db8212e`, `e6412f07e6f2db27c79ad501fbdb6a99`, `b1b64298a01b55720eb71145978dd96b`, `15e64a1f7c5ca5d64f4b2a8bf60d76a0`, `4dce69d4d030bd60ee24503b8bdda39d`, `740e5f807102b524188ffd198fe9bb3b`, `8c71b553c29ff57cf135863f6de7125e`
- File Hashes (Mach-O droppers):
- `6aab14b38bbb6b07bd9e5b29a6514b62`, `af23cd92ab15ebcc02b91664a0adc6fb`, `d9c40f35b9eaf16a2a7b4204a4e369a8`, `6e777e9d95945386ced5c1cbb3173854`, `bc113574cfe6b8d0fb6fb13f43be261b`, `e125d2e359995c4f4b4d262244767385`, `98fdef18dfca95dfd75630d8f1d54322`, `a66027146c009b3fdbc29400c7c74346`, `df74b93df64240e86d8d721c03d7a8a3`, `08fc1d03db95a69cddcd173c1311e681`, `013f3ba3a61ba52ba00b53da40da8a2b`, `259809091a9d4144a307c6363e32d2ea`
- File Hashes (Python scripts):
- `6e375185480ee26c2f31c04c36a8a0e8`, `c8ac97b9df5a2dc51be6a65e6d7bce6b`, `70b0f6ff8facca122591249f9770d7c9`, `fba8e41640a249f638de197ad615bd72`
- File Names: `Crack Installer`, `psw`, `user` (temporary output files)
- Registry Keys: N/A (macOS focused)
- Network Indicators: C2 communication uses the IP address `5[.]42[.]65[.]114` on the path `/p2p`.
- Behavioral Indicators: User interaction required to open unsigned application; execution of Python via dropped script; use of `osascript -e`; running `system_profiler` utility; HTTP POST exfiltration.
## Associated Threat Actors
- Previously associated with a Russian threat actor (confirmed by C2 server address analysis).
## Detection Methods
- Signature-based detection: Detected as `Gen:Variant.Trojan.MAC.Dropper.5` or `Trojan.MAC.Dropper` (for Mach-O droppers) and `Generic.MAC.Stealer.G` (for Python scripts).
- Behavioral detection: Monitoring for the execution path (`/var/tmp/olx`), use of `osascript -e` block containing long Apple Script, and attempts to harvest credentials via fake dialogs.
- YARA rules: Not explicitly provided, but signature names suggest AV/EDR detections.
## Mitigation Strategies
- Prevention measures: Ensure macOS Gatekeeper and XProtect restrictions are fully enabled. Train users to scrutinize unsigned applications and avoid right-clicking to bypass security warnings.
- Hardening recommendations: Implement strict application allow-listing policies. Monitor suspicious file drops in temporary directories like `/var/tmp/`. Monitor for unsigned Mach-O files executing on the system.
## Related Tools/Techniques
- RustDoor backdoor (Shares code similarity in Apple Scripting components).
- Previous variants of AMOS Stealer (Targeted `~/Library/Application Support/Binance/app-store.json`).