Hundreds Targeted in New Atomic macOS Stealer Campaign

Posted on By CWS

CrowdStrike warns of a spike in assaults aimed toward infecting macOS customers with a variant of the notorious Atomic macOS Stealer (AMOS) data stealer.

Between June and August, the cybercrime group Cookie Spider, which operates the AMOS malware-as-a-service (MaaS) enterprise, used malvertising to direct victims to fraudulent assist web sites and trick them into putting in the malware.

The marketing campaign, CrowdStrike says, focused customers who have been trying to find options to frequent macOS points, and relied on selling fraudulent commercials for web sites the place victims have been instructed to execute a malicious command on their techniques.

The command would fetch a Bash script from a distant server, to seize the sufferer’s password and obtain an executable from one other distant location.

Dubbed SHAMOS, the payload is a variant of AMOS that accommodates anti-VM checks to forestall execution in a sandboxed setting, and which might carry out reconnaissance and information assortment duties.

The malware searches the system for recordsdata that comprise credentials, information from Keychain, AppleNotes, browsers, and identified cryptocurrency wallets, and makes an attempt to exfiltrate them to a distant server, packed in a ZIP archive.

Moreover, SHAMOS can obtain and execute payloads, together with a botnet module and a faux Ledger Reside pockets software.

The malvertising marketing campaign focused customers in Canada, China, Colombia, Italy, Japan, Mexico, the US, the UK, and different international locations, however was not served to Russian customers.Commercial. Scroll to proceed studying.

CrowdStrike’s investigation revealed that the cybercriminals probably impersonated a reliable Australia-based electronics retailer of their Google Promoting profile.

“This marketing campaign underscores the recognition of malicious one-line set up instructions amongst eCrime actors. This method permits them to bypass Gatekeeper safety checks and set up the Mach-O executable immediately onto sufferer gadgets,” CrowdStrike notes.

Associated: Homebrew macOS Customers Focused With Info Stealer Malware

Associated: Excessive-Worth NPM Builders Compromised in New Phishing Marketing campaign

Associated: North Korean Hackers Goal macOS Customers

Associated: Digium Telephones Focused in Cybercrime Marketing campaign Geared toward VoIP Methods

Security Week News Tags:, , , , ,

Related Posts

Cybersecurity M&A Roundup: 44 Deals Announced in July 2025 Security Week News
Approov Raises $6.7 Million for Mobile App Security Security Week News
ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Aveva, CISA Security Week News
In Other News: Critical Zoom Flaw, City’s Water Threatened by Hack, $330 Billion OT Cyber Risk Security Week News
Microsoft Dissects PipeMagic Modular Backdoor Security Week News
SonicWall SMA Appliances Targeted With New ‘Overstep’ Malware Security Week News