A complicated new variant of the AMOS macOS stealer has emerged, demonstrating unprecedented ranges of technical sophistication in its distribution and obfuscation strategies.
The malware leverages GitHub repositories as distribution platforms, exploiting the platform’s legitimacy to bypass safety measures and goal unsuspecting macOS customers with cryptocurrency theft capabilities.
The newest marketing campaign entails a multi-layered assault chain that begins with malicious DMG information hosted on GitHub repositories, particularly focusing on customers searching for respectable functions.
The malware employs superior obfuscation methods together with a number of layers of base64 encoding, XOR encryption, and customized alphabets to evade detection by conventional safety options.
As soon as executed, the stealer deploys each x64 and ARM64 variations to make sure compatibility throughout completely different Mac architectures.
Jason Reaves, a malware researcher, Crimeware Menace Intel, Reverse Engineer at Walmart, recognized this refined marketing campaign whereas monitoring latest AMOS actions.
His evaluation revealed that the malware pattern 9f8c5612c6bfe7ab528190294a9d5eca9e7dec3a7131463477ae103aeec5703b represents a big evolution within the menace’s capabilities, incorporating superior evasion methods beforehand unseen in macOS malware campaigns.
The assault vector primarily focuses on cryptocurrency pockets customers, with the malware masquerading as respectable functions corresponding to Ledger Reside to steal seed phrases and personal keys.
The marketing campaign demonstrates exceptional persistence, with menace actors rapidly establishing new repositories when earlier ones are taken down by GitHub’s safety groups.
Directions for set up (Supply – Medium)
This cat-and-mouse dynamic highlights the challenges confronted by platform suppliers in combating refined menace actors who abuse respectable companies for malicious functions.
Superior Obfuscation and Decoding Mechanisms
The technical sophistication of this AMOS variant lies in its multi-stage obfuscation course of that entails three distinct decoding layers.
The preliminary payload accommodates an obfuscated shell script that undergoes base64 decoding adopted by XOR operations utilizing hardcoded keys.
The deobfuscation course of reveals an AppleScript part that searches for mounted volumes containing “touchlock” earlier than executing the first payload.
Touchlock repo (Supply – Medium)
The core decoding algorithm implements a complicated three-block system the place equal-sized information blocks endure mathematical operations.
The algorithm processes each double-word (dword) by subtraction and XOR operations, as demonstrated within the extraction code: a = (a – d) & 0xffffffff; a ^= c.
This mathematical method generates a customized base64 alphabet xtk1IbLCo9pQgDwBKNl_Pa*Z-J40zOiEr&5n8s=R!dAG%$<SF@#+)eT2hcH?ufVy used for subsequent payload decoding.
The malware’s persistence mechanism entails copying the .touchlock file to the short-term listing, eradicating prolonged attributes utilizing xattr -c, and executing with elevated permissions.
Command and management communications make the most of a number of domains together with heathlypet[.]com, isnimitz[.]com, and several other IP addresses spanning 45.94.47[.]136 and 85.192.49[.]118.
This distributed infrastructure method ensures operational continuity even when particular person nodes are compromised or taken offline.
Automate menace response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs throughout all endpoints -> Request full entry
