Researchers flag macOS malware that steals keychain passwords and crypto wallets

Security researchers from Cyble are warning against a new macOS malware dubbed Atomic macOS Stealer (AMOS) that is being advertised on Telegram.

"The Atomic macOS Stealer can steal various types of information from the victim's machine, including Keychain passwords, complete system information, files from the desktop and documents folder and even the macOS password," the researchers wrote in a technical report.

The malware developers are asking for $1,000 monthly to use the malware which comes complete with a web panel to manage victims.

To avoid suspicion the malware has been created to look like an unsigned disk image file. Once a user runs it, they are prompted to enter their system password which the malware captures allowing the attacker to escalate privileges and cause more damage to the victim.

This technique is similar to MacStealer, another macOS malware that was discovered early this year.

Samples of the malware flagged by researchers had names of popular apps such as Notion, Photoshop, and Tor browser which is how the threat actors are luring unsuspecting victims.

However, the researchers say that AMOS can also be pushed to the victim’s computer by exploiting existing vulnerabilities.

Once it has been launched successfully, the malware exfiltrates system metadata, files, iCloud Keychain, as well as information stored in web browsers like passwords, autofill, cookies, and credit card data. The data is then compressed into a ZIP archive and sent to a remote server.

This recent finding is evidence that macOS is increasingly becoming lucrative to cyber attackers and users need to take steps to protect themselves.

A good place to start is to enable two-factor authentication, review app permissions, and avoid opening suspicious links received via emails or SMS messages. Also, don’t download files from untrusted sites.