A new malvertising campaign has been observed distributing an updated version of a macOS-stealing malware called Atomic Thief (or AMOS), indicating that it is actively maintained by its author.
An off-the-shelf Golang malware available for $1,000 per month, Atomic Stealer was first discovered in April 2023. Soon after, new variants with an expanded set of information-gathering features have been detected in the wild, targeting gamers and cryptocurrency users. .
Malicious advertising through Google Ads has been observed as the main distribution vector in which users searching for popular legitimate or pirated software on search engines are shown fake advertisements redirecting to websites hosting malicious installers.
The latest campaign involves the use of a fraudulent website for TradingView, highlighting three buttons to download the software for Windows, macOS and Linux operating systems.
“The Windows and Linux buttons point to a Discord-hosted MSIX installer that removes NetSupport RAT,” Jerome Segura, director of threat intelligence at Malwarebytes, said.
The macOS payload (“TradingView.dmg”) is a new version of Atomic Stealer released in late June, which is packaged into an ad hoc signed application that, when executed, prompts users to enter their password on a fake prompt and harvest files as well as data stored in iCloud Keychain and web browsers.
“Atomic Steer also targets Chrome and Firefox browsers and has a long hardcoded list of crypto-related browser extensions to attack,” SentinelOne previously noted in May 2023. Some variants have also targeted Coinomi wallets.
The attacker’s ultimate goal is to bypass macOS’s Gatekeeper protections and exfiltrate the stolen information to a server under their control.
The development comes as macOS increasingly becomes a viable target for malware attacks, with a number of macOS-specific information stealers appearing for sale on crimeware forums in recent months to take advantage of the wide availability of Apple systems in organizations.
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
MFA achieved? WFP? Service account protection? Find out how equipped your organization really is against identity threats
“Although Mac malware actually exists, it tends to be less detected than its Windows counterparts,” Segura said. “The developer or seller of AMOS has actually made a selling point that their toolkit is capable of evading detection.”
Atomic Stealer is not the only malware spread via malvertising and search engine optimization (SEO) poisoning campaigns, as evidence was born from DarkGate (aka MehEncrypt) clinging to the same delivery mechanism.
New versions of DarkGate have since been used in attacks staged by malicious actors employing tactics similar to those of Scattered Spider, incident response services from Aon’s Stroz Friedberg. said last month.
DarkGate has also been observed spreading via social engineering campaigns using HR-themed chat messages sent via Microsoft Teams, according to Truesecamplifying its potential threat and indicating that the charger is used by several malicious actors through various infection channels.