Cyble analysts noticed that the attackers are advertising a new Atomic macOS Stealer (AMOS) infostealer, which, as the name implies, is focused on macOS.
Let me remind you that we also reported that Aurora Stealer Is Gaining Popularity among Hackers.
Atomic macOS Stealer is distributed via Telegram and costs $1,000 per month to subscribe.
For this price, buyers receive a DMG file (Setup.dmg) containing a malware written in Go that is designed to steal passwords from the Keychain, files from the local file system, passwords, cookies, and bank card data stored in browsers. In addition, AMOS is trying to steal data from more than 50 cryptocurrency extensions and wallets, shutting down Binance, Coinomi, Electrum, and Exodus.
Criminals get access to a web panel for convenient data management of victims, the MetaMask brute-forcer, the DMG installer, and also have the opportunity to receive stolen information directly through Telegram.
It is worth noting that at the time of the release of the researchers’ report, the malicious DMG file was practically not detected by security products on VirusTotal.
When executing a malicious DMG file, the malware displays a fake window for entering the system password, which allows its operators to gain elevated privileges on the victim’s system and proceed to collect data.
Interestingly, security experts from Trellix, who also studied this malware, noticed that the IP address associated with the Atomic C&C server and the assembly name overlap with Raccoon Stealer, which means that the same attackers may be behind these threats.
You might also be interested to know that Beta Version of Raccoon Stealer 2.0 Malware with Improved Features Is Available for Purchase, although the media wrote that US Authorities Announced the Arrest of a Ukrainian Who Developed Raccoon Malware.