A new version of Atomic macOS Stealer (AMOS) has been spotted in a new malvertising campaign, targeting people searching for software on Google search engine. According to Malwarebytes, the malware was first advertised in April on Telegram. Since then, the malware authors have released a new version at the end of June.
How the campaign works?
The latest variant, tracked as OSX.AtomStealer, is distributed via cracked software for the TradingView app, a platform for tracking financial markets.
Users looking for this software are shown ads hijacked by threat actors at the top of the Google search results.
Some of these ads were found using Unicode characters to mimic the real domain and evade detection from Google’s ad quality checks.
When the user clicks on the ad, they are redirected to a phishing page that includes three download buttons: one each for Windows, Mac, and Linux.
Both Windows and Linux buttons point to an MSIX installer that drops NetSupport RAT malware to deploy other malicious payloads.
About the new AMOS variant
The variant comes bundled in an ad-hoc signed app which cannot be revoked.
Once executed, it exfiltrates users’ system data, including wallet addresses, passwords, auto-fills, keychains, and cookies, to send it to attackers’ servers.
Researchers note that the developers of AMOS malware are advising the distributors to use bulletproof servers to transfer stolen data without being detected.
Rising threats on macOS users
A new variant of XLoader was spotted in the wild targeting macOS systems, masquerading as an office productivity app called OfficeNote.
Separately, a new hVNC tool for hacking Mac systems was found being sold on a Russian cybercrime forum in April.
The bottom line
As the current campaign relies on deceiving users with legitimate software, make sure to cross-check the website before downloading the application. With stealers such as AMOS, it is suggested to run an antivirus with real-time protection so that it blocks the malware before it causes major damage.