Atomic macOS Stealer malware is now more dangerous
The Atomic macOS Stealer malware has a new backdoor persistent installation feature, making it even more of a security risk for Mac users.
Atomic Stealer infects macOS via illegitimate software, and now it has a backdoor
Atomic macOS Stealer, also known as AMOS, has been around since 2023, and was immediately a hit for cyber criminals wanting to steal data from infected Macs. While it was popular enough amongst bad actors to warrant the creation of a new variant in 2024, its 2025 update is a potential nightmare for victims.
According to MacPaw cybersecurity division Moonlock, a version of AMOS has been found with a major update, adding an embedded backdoor for the first time.
It is unclear whether the change was implemented by the original developer or someone else modifying its code, but the result is the same increased level of severity. To Moonlock, it represents the highest level of risk from AMOS it has seen so far.
Previously, AMOS would be used to syphon user data and cryptowallets from a target Mac and send it to a server for use by the bad actor in control of it. With the addition of a backdoor, this expands the potential damage the malware can do, from data to full system control.
Indeed, the presence of a backdoor is very unusual for macOS malware. It is believed to be just the second known case of malware with a backdoor being deployed globally against Mac users, following after similar attempts by North Korea.
How Atomic macOS Stealer works now
Historically, AMOS operates as malware embedded within another innocent-looking app. It is distributed via a combination of sites offering fake or cracked software, as well as spear phishing attacks against individuals with large cryptocurrency holdings.
The latter can take place during a seemingly-normal job interview process. The victim is asked to enable screen sharing, entering their system password to do so, and that is enough to allow the malware to run.
After installation and execution, AMOS immediately pulls passwords and seed phrases. It also installs a persistent backdoor that waits for remote commands to be issued.
An analysis of the executable reveals that its early stages are almost unchanged, but the new additions including the backdoor are set to run after the data collectioon phase.
A trojanized DMG file is posed as a legitimate installer, containing the Mach-O bash wrapper script and a selection of extensions. This combination is used to bypass Gatekeeper using social engineering.
AppleScript is still being used to set execution permissions and to run the malware binary itself. Persistence is achieved via a PLIST file under launchctl, a fairly common technique.
The installation of the backdoor increases the capabilities of AMOS, but seemingly not by as much as it could. Compared to sophisticated backdoors produced by threat actors in North Korea, the report says that the AMOS version has a lot of potential for expansion, which will almost certainly appear over time.
By contrast, the AMOS developers have "taken their first steps into a new niche on the market."
How to stay safe from Atomic macOS Stealer
Generally speaking, good digital hygiene and common sense should help most Mac users avoid this malware. Avoiding downloads from unverified sources and avoiding pirated software would be a good start for many.
Sticking to the Mac App Store for downloads would eliminate the risk of installing the malware, thanks to Apple's checks. Otherwise, be vigilant of any software that calls for users to bypass Gatekeeper and signature checks if downloading from elsewhere.
Being aware of potential phishing attacks is also important, especially since it is being used in fake job interviews.
Read on AppleInsider
Comments
Is this something current AV software will recognize?