Full Report
Here at Bitdefender, we're constantly working on improving detection capabilities for our macOS cyber-security products; part of this effort involves revisiting old (or digging up new) samples from our malware zoo. During routine verifications, we were able to isolate multiple suspicious and undetected macOS disk image files surprisingly small for files of this kind (1.3 MB per file). A short look into the code revealed that these files are significantly similar to other samples analysed in the
Analysis Summary
# Tool/Technique: AMOS (Atomic) Stealer variant
## Overview
A newly identified, largely undetected variant of the AMOS (Atomic) Stealer malware targeting macOS. This variant uses a dropper mechanism via disk images (DMG) containing FAT binaries (Mach-O files for Intel and ARM) which drop and execute a Python script for data exfiltration. It is notable for combining Python and AppleScripting and attempting to steal the local user's account password via a fake system update dialog.
## Technical Details
- Type: Malware family (Stealer variant)
- Platform: macOS
- Capabilities: Information theft (browser data, crypto-wallet files, system info, keychains, targeted file extensions), local password harvesting, sandbox/emulator detection, data exfiltration via HTTP POST.
- First Seen: Family first documented early 2023; this specific variant is newly identified.
## MITRE ATT&CK Mapping
- TA0009 - Collection
- T1005 - Data from Local System
- T1005.004 - Data from Kerberos Keys (Indirect via Keychain theft)
- T1119 - Data from the Operating System
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
- TA0003 - Persistence (Implied via initial execution by user action)
- TA0001 - Initial Access (Via user opening DMG and executing installer)
## Functionality
### Core Capabilities
- **Dropping Mechanism:** DMG files contain `Crack Installer` (Mach-O binary) which bypasses signature checks by relying on user interaction (Right Click -> Open).
- **Malware Payload Delivery:** The Mach-O dropper decodes an XOR-encrypted Python script from the `__const` section and saves it to `/var/tmp/olx` for execution.
- **Credential Harvesting:** Prompts the user for their local account password under the guise of a system update. Correct passwords are saved to a file named `psw`.
- **Information Gathering:** Collects browser data (Passwords, Cookies, Login Data, Forms data), files from Desktop/Documents with targeted extensions, hardware/system information (`system_profiler`), crypto-wallet files, and the user's `login.keychain-db`.
### Advanced Features
- **Hybrid Scripting:** Combines Python code with extensive AppleScript executed via `osascript -e`.
- **Safari Cookie Theft:** Specifically targets and collects Safari cookies (`~/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies`).
- **Anti-Analysis Attempt:** Utilizes system profiling with arguments like `SPSoftwareDataType`, `SPHardwareDataType`, and `SPDisplaysDataType` potentially to detect virtual environments or sandboxes.
- **Code Similarity:** Exhibits significant code similarity in its AppleScript block with the RustDoor backdoor (2nd variant).
- **Data Minimization:** Archives collected files before exfiltration to minimize traces.
## Indicators of Compromise
- File Hashes:
- DMG Hashes: `0caf5b5cc825e724c912ea2a32eceb59`, `f0dc72530fa06b278b7da797e5fcb3a1`, `6c402df53630f7a41f9ceaafdca63173`, `e5c059cc26cc430d3294694635e06aef`, `b1e0274963801a8c27ef5d6b17fe4255`, `8672d682b0a8963704761c2cc54f7acc`, `11183a3f8a624dbf66393f449db8212e`, `e6412f07e6f2db27c79ad501fbdb6a99`, `b1b64298a01b55720eb71145978dd96b`, `15e64a1f7c5ca5d64f4b2a8bf60d76a0`, `4dce69d4d030bd60ee24503b8bdda39d`, `740e5f807102b524188ffd198fe9bb3b`, `8c71b553c29ff57cf135863f6de7125e`
- Mach-O Dropper Hashes: `6aab14b38bbb6b07bd9e5b29a6514b62`, `af23cd92ab15ebcc02b91664a0adc6fb`, `d9c40f35b9eaf16a2a7b4204a4e369a8`, `6e777e9d95945386ced5c1cbb3173854`, `bc113574cfe6b8d0fb6fb13f43be261b`, `e125d2e359995c4f4b4d262244767385`, `98fdef18dfca95dfd75630d8f1d54322`, `a66027146c009b3fdbc29400c7c74346`, `df74b93df64240e86d8d721c03d7a8a3`, `08fc1d03db95a69cddcd173c1311e681`, `013f3ba3a61ba52ba00b53da40da8a2b`, `259809091a9d4144a307c6363e32d2ea`
- Python Script Hashes: `6e375185480ee26c2f31c04c36a8a0e8`, `c8ac97b9df5a2dc51be6a65e6d7bce6b`, `70b0f6ff8facca122591249f9770d7c9`, `fba8e41640a249f638de197ad615bd72`
- File Names: `Crack Installer` (Application name), `psw` (password file), files generated from system profiling saved as `user`.
- Registry Keys: N/A (macOS specific)
- Network Indicators:
- C2 Server (IP): `5[.]42[.]65[.]114`
- C2 Endpoint: `/p2p` (used for POST exfiltration)
- Behavioral Indicators: Execution following user interaction with a DMG file, dropping a script to `/var/tmp/olx`, use of `osascript -e` command, prompt for user credentials masquerading as an OS update.
## Associated Threat Actors
- Historically associated with a Russian threat actor (Confirmed by C2 address association).
## Detection Methods
- Signature-based detection:
- DMG files: `Gen:Variant.Trojan.MAC.Dropper.5` or `Trojan.MAC.Dropper`
- Python scripts: `Generic.MAC.Stealer.G`
- Behavioral detection: Monitoring for the execution chain originating from opened disk images leading to script execution in `/var/tmp/` and subsequent high-value data collection attempts.
## Mitigation Strategies
- **User Education:** Warn users about social engineering tactics employing "Right Click -> Open" to bypass Gatekeeper/Notarization warnings, especially when encountering unsolicited DMGs.
- **Application Control:** Restrict execution of unsinged binaries, although the technique used successfully bypasses standard checks.
- **Endpoint Security:** Ensure up-to-date security solutions capable of detecting the known hashes and behavioral patterns (e.g., monitoring `osascript` execution embedding large payloads).
## Related Tools/Techniques
- RustDoor Backdoor (2nd variant): Shared high similarity in the AppleScript component used for file collection.
- Previous AMOS Stealer variants: Share similar goals of harvesting browser data and targeting files like `~/Library/Application Support/Binance/app-store.json`.