Buyers/cybercriminals get one DMG file it contains 64-bit Go-based malware designed to attack macOS systems and steal Keychain Access passwords, local file system files, passwords, cookies, and credit cards stored in the browser. The Atomic malware also steals data from over 50 cryptocurrency extensions.
Additionally, with the $1,000/month subscription, cybercriminals benefit from an out-of-the-box web panel for easy loss management, brute force MetaMask, cryptocurrency checker, dmg installer, and the ability to receive stolen logs on Telegram.
The macOS information stealer was recently discovered by researcher Treillis and his Cyble researchers, who analyzed a sample of the “Atomic” malware and reported that the author had released a new version on April 25, 2023.
The distribution of Atomic macOS malware depends on the cybercriminal who uses it. This can be done through phishing emails, malicious advertisements, through social media posts, etc.
Atomic macOS Malware
Atomic info-stealer provides a full suite of data-stealing features, which allow for deeper penetration into the target system.
After executing the malicious dmg file, the malware displays a fake password entry window to obtain the system code and take control of the victim’s computer. Thus, the attacker can access sensitive information. However, a future update of the macOS Atomic malware might modify system settings or install additional malicious payloads.
After the first breach, the malware attempts to extract Password Keychain, macOS’s built-in password manager that contains WiFi passwords, website links, credit card data, and other information. encrypted.
After doing the above, the Atomic malware proceeds to extract information from software running on the compromised macOS machine, including the following:
System information: model name, hardware UUID, RAM size, number of cores, serial number, etc.
Desktop Cryptocurrency Wallets: Electrum, Binance, Exodus, Atomic
Cryptocurrency wallet extensions: As we said above, more than 50 extensions are affected, including Trust Wallet, Exodus Web3 Wallet, Jaxx Liberty, Coinbase, Guarda, TronLink, Trezor Password Manager, Metamask, Yoroi, and BinanceChain.
Web browser data: Autofill, passwords, cookies, and credit cards from Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera, and Vivaldi.
The Atomic macOS malware also gives operators the ability to steal files directly from the “ Desktop ” and “ Documents ” directories.
However, malware must request permission to access these files. So, it might help the victims to get aware of the malicious activities.
When stealing data, the Atomic malware will bundle it into a single ZIP file and then send it to the threat actor’s command-and-control server, which Cyble claims is located at “Amos-malware [.]ru/sendlog”.
According to the Trellix researcher, the IP address associated with the threat actor’s command-and-control server and the build name are also used by Raccoon Thief, which indicates a possible link between the two malicious operations.
From there, the selected information and the ZIP file are also sent to the operator’s private Telegram channel.
macOS is often considered more secure than other operating systems. Nevertheless, Threat Actors (TA) have frequently targeted macOS platforms in recent years. In the past, there have been several instances where threat actors have targeted macOS users with various malware families including MacStealer, RustBucket, DazzleSpy, etc. Atomic has now been added.
To protect your Mac device, you need to follow some important steps such as installing antivirus software and updating your system and applications.