Unveiled: macOS Infiltration Scheme Exploiting Falsely Cracked Software to Evade Apple's Protections

A new malware campaign, known as the ATOS (Atomic macOS Stealer) malware, has been identified, targeting macOS users. This campaign disguises malware as "cracked" versions of legitimate apps, putting users and organizations at risk.

The campaign begins with threat actors gaining initial access to systems through downloads of cracked software. Once a user downloads and installs the seemingly legitimate software, an installation script is executed. This script downloads an AppleScript file named "update" to the temp directory.

One of the key components of the ATOS malware is a script named 'com.finder.helper.plist'. This script configures a MacOS LaunchDaemon to continuously run the '. agent' script. The '. agent' script, in turn, runs in an infinite loop to detect the logged-in user and execute the hidden binary. This binary establishes persistence by retrieving the username of the currently logged-in user, excluding root.

The hidden binary then copies sensitive data from the compromised system. The data stolen includes credentials, browser data, cryptocurrency wallets, Telegram chats, VPN profiles, keychain items, Apple Notes, and files from common folders.

The observed domains in this campaign act as redirectors to the corresponding payload page based on the visitor's operating system. The threat actor rotates these domains and URLs frequently for download commands to evade detection and takedowns. One of the observed domains is haxmac[.]cc, which users visited several times.

The AMOS malware was developed and sold as malware-as-a-service (MaaS) by threat actors active on underground forums and Telegram. While no specific single organization is named as the developer, the threat actor "mentalpositive" developed a related macOS stealer called Mac.c as an alternative. This suggests that multiple groups are involved in this malware ecosystem.

This campaign represents "significant tactical adaptation" to overcome Apple security improvements. Researchers recommend organizations to deploy defense-in-depth strategies that don't rely solely on built-in operating system protections to protect against the tactics used in this campaign.

Downloading the cracked software puts the machine and the organization at risk due to potential malware or trojanization by threat actors. The AMOS campaign poses significant downstream risks for businesses and individuals, including credential stuffing, financial theft, and further intrusions into enterprise systems.

Users are advised to download software only from trusted sources and to keep their systems updated with the latest security patches. Organizations should implement robust security measures to protect their networks and data from such threats.

Unveiled: macOS Infiltration Scheme Exploiting Falsely Cracked Software to Evade Apple's Protections