Site icon Sophos News

Mac malware-for-hire steals passwords and cryptocoins, sends “crime logs” via Telegram

Researchers at dark web monitoring company Cyble recently wrote about a data-stealing-as-a-service toolkit that they found being advertised in an underground Telegram channel.

One somewhat unusual aspect of this “service” (and in this context, we don’t mean that word in any sort of positive sense!) is that it was specifically built to help would-be cybercriminals target Mac users.

The malware peddlers’ focus on Apple fans was clearly reflected in the name they gave their “product”: Atomic macOS Stealer, or AMOS for short.

They’re after passwords, cryptocoins and files

According to Cyble, the crooks are explicitly advertising that their malware can do all of these things:

Ironically, the one browser that doesn’t show up on the list is Apple’s own Safari, but the sellers claim to be able to exfiltrate data from Chrome, Firefox, Brave, Edge, Vivaldi, Yandex, Opera, and Opera’s gamer-centric browser, OperaGX.

As an AMOS “customer”, you also get an account on the cybergang’s online AMOS cloud portal, and a feature to send “crime logs” and stolen data directly to your Telegram account, so you don’t even need to login to the portal to check for successful attacks.

As well as that, you get what the crooks describe as a beautiful DMG installer, presumably to improve the likelihood that you can lure prospective victims into installing the software in the first place.

DMGs are Apple Disk Image files, commonly used by legitimate software developers as a well-known, good-looking, easy-to-use way of delivering Mac applications.

All this for $1000 a month.

Watch out for password prompts

As you can imagine, attackers who want to access your macOS Keychain can’t do so simply by tricking you into running a program while you’re already logged in.

Running an app under your account is enough to read many or most of your files, but actions such as viewing and changing system settings, and viewing Keychain items, require you to put in your password every time, as an extra layer of safety and security.

In this case, Cyble researchers noted that the malware lures you into giving away your account password by popping up a dialog with the title System Preferences (in macOS Ventura, it’s actually now called System Settings), and claiming that macOS itself “wants to access System Preferences”.

Well-informed Mac users should spot that the popup produced clearly belongs to the malware app itself, which is simply called Setup.

Password dialogs that are requested by the System Preferences (or System Settings) app itself come up as an integral part of the Preferences application window.

So, they can only be accessed when the System Preferences app itself has focus and thus shows up as the active application in your Mac’s menu bar.

What to do?

Malware that specifically targets Mac users is rare compared to malware aimed at Windows users, but this find by Cyble’s dark web diggers is a reminder that “unusual” is not the same as “non-existent”.

If you’re one of those Mac users who tends to treat cybersecurity as a curiosity instead of building it into your digital lifestyle, perhaps because a friend or family member once assured you that “Macs don’t get viruses”…

…please treat this article as a gentle reminder that malware attacks aren’t just things that happen to other people.


Note. Sophos products detect and block the malware in Cyble’s report under the name OSX/InfoStl-CP, if you are a Sophos user and would like to check your logs.



Exit mobile version