The cybersecurity landscape is ever-evolving, and the recent discovery of a malvertising campaign targeting macOS users is a testament to this. The campaign delivers a new version of the Atomic Stealer malware, specifically designed for Mac OS. This blog post aims to dissect the campaign, its distribution methods, and the malware itself, while also offering preventive measures. The original report was published by Malwarebytes.
Targeting Both Windows and macOS
While malvertising campaigns have predominantly targeted Windows users, this new campaign aims at both Windows and macOS platforms. The macOS malware is an updated version of Atomic Stealer (AMOS), initially advertised in April 2023. AMOS focuses on stealing crypto assets, browser passwords, and Apple's keychain data.
The threat actors employ a multi-pronged approach for distribution:
- Search Engine Ads: Ads matching well-known brands like TradingView are purchased to trick users into visiting phishing sites.
- Phishing Sites: These sites appear authentic and offer download buttons for Windows, Mac, and Linux.
- Social Engineering: The Mac download comes with instructions to bypass GateKeeper, Apple's security feature.
The malware is ad-hoc signed, meaning it's not an Apple certificate and thus cannot be revoked. Once executed, it prompts the user for their password in a never-ending loop until the victim relents.
The malware employs evasion techniques to bypass detection, making it a potent threat. It also uses bulletproof servers for data exfiltration, adding another layer of complexity to its operations.
Indicators of Compromise (IoCs)
- Ad domain: xn--tradgsvews-0ubd3y[.]com
- Phishing domain: trabingviews[.]com
- AMOS C2: 185.106.93[.]154
- Verify Website Authenticity: Always double-check the URL and the SSL certificate of the website you're visiting.
- Use Real-Time Antivirus: Employ antivirus solutions with real-time protection.
- Be Skeptical of Ads: Be cautious when clicking on ads, especially those that lead to software downloads.
The Atomic macOS Stealer campaign is a stark reminder that no platform is entirely safe from cyber threats. The campaign's sophistication lies in its multi-vector attack strategy and its focus on macOS, a platform often considered more secure than its counterparts.