Skip to content
Naked Security Naked Security

Mac malware-for-hire steals passwords and cryptocoins, sends “crime logs” via Telegram

These malware peddlers are specifically going after Mac users. The hint's in the name: "Atomic macOS Stealer", or AMOS for short.

Researchers at dark web monitoring company Cyble recently wrote about a data-stealing-as-a-service toolkit that they found being advertised in an underground Telegram channel.

One somewhat unusual aspect of this “service” (and in this context, we don’t mean that word in any sort of positive sense!) is that it was specifically built to help would-be cybercriminals target Mac users.

The malware peddlers’ focus on Apple fans was clearly reflected in the name they gave their “product”: Atomic macOS Stealer, or AMOS for short.

They’re after passwords, cryptocoins and files

According to Cyble, the crooks are explicitly advertising that their malware can do all of these things:

  • Rip off passwords and authentication information from your macOS Keychain (Apple’s internal storage system for passwords and authentication credentials).
  • Steal files from your Desktop and Documents directories.
  • Retrieve comprehensive information about your system.
  • Plunder secret data from eight different browsers.
  • Slurp the contents of dozens of different cryptowallets.

Ironically, the one browser that doesn’t show up on the list is Apple’s own Safari, but the sellers claim to be able to exfiltrate data from Chrome, Firefox, Brave, Edge, Vivaldi, Yandex, Opera, and Opera’s gamer-centric browser, OperaGX.

As an AMOS “customer”, you also get an account on the cybergang’s online AMOS cloud portal, and a feature to send “crime logs” and stolen data directly to your Telegram account, so you don’t even need to login to the portal to check for successful attacks.

As well as that, you get what the crooks describe as a beautiful DMG installer, presumably to improve the likelihood that you can lure prospective victims into installing the software in the first place.

DMGs are Apple Disk Image files, commonly used by legitimate software developers as a well-known, good-looking, easy-to-use way of delivering Mac applications.

All this for $1000 a month.

Watch out for password prompts

As you can imagine, attackers who want to access your macOS Keychain can’t do so simply by tricking you into running a program while you’re already logged in.

Running an app under your account is enough to read many or most of your files, but actions such as viewing and changing system settings, and viewing Keychain items, require you to put in your password every time, as an extra layer of safety and security.

In this case, Cyble researchers noted that the malware lures you into giving away your account password by popping up a dialog with the title System Preferences (in macOS Ventura, it’s actually now called System Settings), and claiming that macOS itself “wants to access System Preferences”.

Well-informed Mac users should spot that the popup produced clearly belongs to the malware app itself, which is simply called Setup.

Password dialogs that are requested by the System Preferences (or System Settings) app itself come up as an integral part of the Preferences application window.

So, they can only be accessed when the System Preferences app itself has focus and thus shows up as the active application in your Mac’s menu bar.

What to do?

Malware that specifically targets Mac users is rare compared to malware aimed at Windows users, but this find by Cyble’s dark web diggers is a reminder that “unusual” is not the same as “non-existent”.

If you’re one of those Mac users who tends to treat cybersecurity as a curiosity instead of building it into your digital lifestyle, perhaps because a friend or family member once assured you that “Macs don’t get viruses”…

…please treat this article as a gentle reminder that malware attacks aren’t just things that happen to other people.

  • Stick to reputable download sites. Apple’s own App Store isn’t perfect, but it’s less of a free-for-all than sites and services you’ve never heard of. You can control the source of apps you install via the System Settings > Privacy & Security page, accessible directly from the Apple menu. If you need off-market apps, you can always give yourself access temporarily, and then lock your system down again immediately afterwards.
  • Don’t be fooled by what these crooks refer to as the “beauty” of an app. Modern software development tools make it easier than ever to produce professional-looking applications and installers, so malware doesn’t inevitably give itself away by looking sub-standard.
  • Consider running real-time malware blocking tools that not only scan downloads, but also proactively prevent you from reaching dangerous download servers in the first place. Sophos Home is modestly priced for up to 10 computers, which can be a mix of Mac and Windows systems. You can invite friends and family to share your licence, and help them by looking after their devices remotely via our cloud-based console, so you don’t need to run a server at home.

Note. Sophos products detect and block the malware in Cyble’s report under the name OSX/InfoStl-CP, if you are a Sophos user and would like to check your logs.


Apple issued an update. 16.4.1(a)
But it fails to install.


That update is not relevant to this malware (16.4.1 (a) is a patch for iOS, not for Macs)… but it broke for me, too, claiming it could not verify the update because I was “no longer connected on the internet”, though browsing and email are working fine. Hmmmmm. Taking a deeper look now!


Does this explain the Emergency Patch that came out today?


I doubt it, not least because I got (or more precisely failed to get) that patch on my phone… which is not affected by rogue macOS DMG files!


Skype and WhatsApp frequently update via a “helper” app (which requires authentication via an admin user). I do worry that this could be faked. Do you have any comment on that?


Can you set their updating so it just tells you about updates but waits until you choose “Check for updates” in the main app, so you can decide when you expect the update helper to run?


Yesterday, I received an email from one of my closest friends. It said “Just confirming that you received my email?” She uses a Mac and uses 2 different email accounts, one from Comcast (she rarely uses this email acccount), and one from sbcglobal (through ATT) and this is her primary email account.
I didn’t bother to check the full address in the “FROM” line. I replied to let her know the last date she sent me an email. A reply came very quickly, it was about purchasing a gift card from Amazon and she would send me a check for reimbursement. That’s when I knew this wasn’t from my friend. The closer I looked at the email address it was from Comcast and one name was misspelled, it is not misspelled in my Contacts. Since speaking with her people in her contact list have received this same message from both email accounts, but primarily from Comcast (sbcglobal). I sent her an email to sbcglobal, it took about 10 minutes to arrive, but instead of going to her inbox, it went to her SPAM folder. Now she can’t use either email address. Is this what you are talking about? Now I’m concerned that my email has been compromised even though I do NOT use a password saver account, she does though. What now?


It certainly sounds as though your friend’s email was hacked. (There are many variants of this sort of “I need money/please do a favour/can you pay a bill for me” scam – the crook is hoping you will believe it simply because seems to be from a friend.)

General tip: if you think a friend’s Instagram/WhatsApp/email/Discord/whatever has been hacked…

…always find a different way to warn them. Never ask via the very messaging system you suspect is controlled by a crook. (Because if it is, the crook will simply lie to you and say it’s not!)

She needs to change all her passwords ASAP, and ideally add two-factor login protection to accounts where she can.

And if she has ever slipped into the habit of using simple passwords or having one password for lots of different accounts… stop doing that!


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!