Cybersecurity researchers have discovered an updated version of a macOS information-stealing program called atom (or AMOS), indicating that the threat actors behind the malware are actively enhancing its capabilities.
“Atomic Stealer appears to have been updated around mid-to-late December 2023, and its developers introduced payload encryption to bypass detection rules,” Malwarebytes’ Jérôme Segura said in a report on Wednesday.
Atomic Stealer first appeared in April 2023, with a monthly subscription fee of $1,000. It can obtain sensitive information from infected hosts through false prompts, including keychain passwords, session cookies, files, encrypted wallets, system metadata, and machine passwords.
Over the past few months, we have observed this malware spreading via malicious ads and infected websites under the guise of legitimate software and web browser updates.
New analysis from Malwarebytes shows that Atomic Stealer is now on sale for a hefty $3,000 per month, with the attackers running a Christmas promotion offering the malware at a discounted price of $2,000.
In addition to the use of encryption to thwart detection by security software, there has also been a slight shift in the distribution of Atomic Stealer, where Google search ads impersonating Slack are used to deploy Atomic Stealer or a malware carrier called EugenLoader (aka FakeBat) The pipeline into the program depends on the operating system.
Notably, a malvertising campaign discovered in September 2023 utilized a scam website from the TradingView charting platform to deliver NetSupport RAT (if accessed from Windows) and Atomic Stealer (if the operating system was macOS).
Rogue Slack disk image (DMG) files prompt victims to enter their system password when opened, allowing threat actors to collect sensitive information with limited access. Another important aspect of the new version is the use of obfuscation techniques to hide the command and control servers that receive the stolen information.
“Because thieves remain the biggest threat to Mac users, it’s important to download software from a trusted location,” Segura said. “Malverts and decoy sites can be very misleading, and all it takes is one mistake (entering your password) for malware to collect and steal your data.”
