A fresh malvertising campaign has emerged, shedding light on the ongoing maintenance and distribution of the macOS stealer malware known as Atomic Stealer, or AMOS.
This stealthy malware, available for a monthly subscription of $1,000, first surfaced in April 2023. Since then, it has continuously evolved, with newer variants equipped with an expanded arsenal of data-gathering functionalities, specifically targeting individuals within the gaming and cryptocurrency communities.
This malicious campaign primarily employs malvertising tactics through Google Ads as its main distribution vector. Users seeking popular software, be it legitimate or cracked, via search engines are presented with deceptive advertisements that redirect them to websites hosting rogue installers.
The latest phase of this campaign revolves around a fraudulent website masquerading as TradingView. This site prominently displays three download buttons catering to Windows, macOS, and Linux users. Intriguingly, both the Windows and Linux download options lead to an MSIX installer hosted on Discord, delivering the NetSupport RAT payload.
The macOS variant of this threat, concealed within a file named “TradingView.dmg,” represents a newly updated iteration of Atomic Stealer, which surfaced at the end of June. Upon execution, it prompts unsuspecting users to input their password via a deceptive dialog box, subsequently pilfering files and data stored in iCloud Keychain and web browsers.
Notably, this malware casts its net wide, targeting Chrome and Firefox browsers, sporting an extensive hardcoded list of crypto-related browser extensions to maximize its impact. Select versions have also set their sights on Coinomi wallets.
The primary objective of these cyber attackers is to circumvent Gatekeeper protections embedded within macOS, allowing them to exfiltrate stolen data to servers under their control.
This development underscores the growing attractiveness of macOS as a target for malicious activities. In recent times, there has been a surge in macOS-specific information stealers surfacing on the dark web, capitalizing on the widespread use of Apple systems within various organizations.
It’s worth noting that macOS malware tends to fly under the radar compared to its Windows counterparts. The developers of AMOS have touted its ability to evade detection as a selling point, making it a formidable threat in the ever-evolving landscape of cyberattacks.
Atomic Stealer isn’t the sole malware propagated through malvertising and search engine optimization poisoning campaigns. Evidence suggests that DarkGate, also known as MehCrypter, has harnessed the same delivery mechanism.
With the emergence of new DarkGate versions, threat actors have adopted tactics akin to those used by Scattered Spider, as reported by Aon’s Stroz Friedberg Incident Response Services in the previous month.