Mac malware-for-hire steals passwords and cryptocoins, sends “crime logs” via Telegram

Researchers at dark web monitoring company Cyble recently wrote about a data-stealing-as-a-service toolkit that they found being advertised in an underground Telegram channel.

One somewhat unusual aspect of this “service” (and in this context, we don’t mean that word in any sort of positive sense!) is that it was specifically built to help would-be cybercriminals target Mac users.

The malware peddlers’ focus on Apple fans was clearly reflected in the name they gave their “product”: Atomic macOS Stealer, or AMOS for short.

They’re after passwords, cryptocoins and files

According to Cyble, the crooks are explicitly advertising that their malware can do all of these things:

  • Rip off passwords and authentication information from your macOS Keychain (Apple’s internal storage system for passwords and authentication credentials).
  • Steal files from your Desktop and Documents directories.
  • Retrieve comprehensive information about your system.
  • Plunder secret data from eight different browsers.
  • Slurp the contents of dozens of different cryptowallets.

Ironically, the one browser that doesn’t show up on the list is Apple’s own Safari, but the sellers claim to be able to exfiltrate data from Chrome, Firefox, Brave, Edge, Vivaldi, Yandex, Opera, and Opera’s gamer-centric browser, OperaGX.

As an AMOS “customer”, you also get an account on the cybergang’s online AMOS cloud portal, and a feature to send “crime logs” and stolen data directly to your Telegram account, so you don’t even need to login to the portal to check for successful attacks.

As well as that, you get what the crooks describe as a beautiful DMG installer, presumably to improve the likelihood that you can lure prospective victims into installing the software in the first place.

DMGs are Apple Disk Image files, commonly used by legitimate software developers as a well-known, good-looking, easy-to-use way of delivering Mac applications.

All this for $1000 a month.

Watch out for password prompts

As you can imagine, attackers who want to access your macOS Keychain can’t do so simply by tricking you into running a program while you’re already logged in.

Running an app under your account is enough to read many or most of your files, but actions such as viewing and changing system settings, and viewing Keychain items, require you to put in your password every time, as an extra layer of safety and security.

In this case, Cyble researchers noted that the malware lures you into giving away your account password by popping up a dialog with the title System Preferences (in macOS Ventura, it’s actually now called System Settings), and claiming that macOS itself “wants to access System Preferences”.

Well-informed Mac users should spot that the popup produced clearly belongs to the malware app itself, which is simply called Setup.

Password dialogs that are requested by the System Preferences (or System Settings) app itself come up as an integral part of the Preferences application window.

So, they can only be accessed when the System Preferences app itself has focus and thus shows up as the active application in your Mac’s menu bar.

What to do?

Malware that specifically targets Mac users is rare compared to malware aimed at Windows users, but this find by Cyble’s dark web diggers is a reminder that “unusual” is not the same as “non-existent”.

If you’re one of those Mac users who tends to treat cybersecurity as a curiosity instead of building it into your digital lifestyle, perhaps because a friend or family member once assured you that “Macs don’t get viruses”…

…please treat this article as a gentle reminder that malware attacks aren’t just things that happen to other people.

  • Stick to reputable download sites. Apple’s own App Store isn’t perfect, but it’s less of a free-for-all than sites and services you’ve never heard of. You can control the source of apps you install via the System Settings > Privacy & Security page, accessible directly from the Apple menu. If you need off-market apps, you can always give yourself access temporarily, and then lock your system down again immediately afterwards.
  • Don’t be fooled by what these crooks refer to as the “beauty” of an app. Modern software development tools make it easier than ever to produce professional-looking applications and installers, so malware doesn’t inevitably give itself away by looking sub-standard.
  • Consider running real-time malware blocking tools that not only scan downloads, but also proactively prevent you from reaching dangerous download servers in the first place. Sophos Home is modestly priced for up to 10 computers, which can be a mix of Mac and Windows systems. You can invite friends and family to share your licence, and help them by looking after their devices remotely via our cloud-based console, so you don’t need to run a server at home.

Note. Sophos products detect and block the malware in Cyble’s report under the name OSX/InfoStl-CP, if you are a Sophos user and would like to check your logs.