This is a new series of blog posts focusing on the background information of malware we’ve recently dealt with, for those that would like a more in-depth look at what we’ve been adding to our database.
In April 2023, malware authors began advertising a piece of malware labelled “ATOMIC MACOS STEALER” for the price of $1,000 per month, through a messaging app called Telegram. From this, new variations were developed and distributed using a method known as Malvertising. Malvertising is a malicious method of advertising in which uses online advertising to distribute malware with as little user interaction as required. In this case, Google Ads were being used in order to distribute Atomic Stealer.
Target
The Atomic MacOS Stealer was compiled for both x86 and ARM variants of MacOS devices, meaning both new and old architectures of Mac’s alike are susceptible to Atomic Stealer.
Execution
Upon first execution, Atomic Stealer asks for Desktop and Documents folder access in order to gain access to the files in these locations to extract them.
Next, Atomic Stealer uses AppleScript spoofing through osascript with the “hidden answer” parameter in order to create a pop-up posing as System Preferences asking the user for their password.
’ “Please enter your password.” with title “System Preferences” with icon file “System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns” default answer "" giving up after 30 with hidden answer ‘
The “hidden answer” parameter changes the user input to show the asterisk (*) character instead of the users actual character entry to further convince the user of it’s authenticity.
Once the password is obtained from the user, Atomic Stealer is designed extract and then exfiltrate an array of targeted data back to a remote server. Some of the targeted data includes the keychain, crypto wallets, browser passwords, and system information.
IoC
Listed below are the hashes of a number of samples that have come to light relating to the Malvertising campaign including the Atomic MacOS Stealer, all of which ClamXAV protects you against.
| SHA1 Hash | MD5 Hash |
|---|---|
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | 5e0226adbe5d85852a6d0b1ce90b2308 |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | a3372ecd587e6aa6b96b3744cf7a77cf |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | 1cf5d415dbac8324b4d72f89b11e4a63 |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | ccdb7bc4aee0a6303e4ffb78a9bf3c4c |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | c7c4d58bfb5f2201966b0baf17babb46 |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | 7ac1e26e5453333df5b29c1b234eb5de |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | a9deab569c5cd7e5052bd1d42ab14150 |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | 8b198256578686dabd4bc0a8a0bb1d20 |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | 47bd855366deaaedefd953b64913dd47 |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | 26211b064bed7767d68dc015a8dd39e4 |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | e62bdd3eaf2be436fca2e67b7eede603 |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | 9e7bd209f715119e8f5594300de90f79 |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | d74956c69a84b260d066fcbb82c46053 |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | bf2b7c35ea0aa85ef05fe2834d5934fe |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | c7859de02355bff8f669208db89ca14c |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | 6b74d3c2e48721286697f941864536c0 |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | 39d73e7ec723efed7bdfec0a03e7f8bc |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | 6c61fb7dcf92fd6436b5d14369ce7f0a |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | 6f976b816d59e0261dea5df283d69e3d |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | 685911013b1aa2b0cd59d5b1b1140709 |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | 7cd96a966815eb37e97d73d0ff97750d |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | 978e19cb735547f454d0dddd2828f2d1 |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | 32a29c914cce68e094eb983806e2c73c |
| 0a87b12b2d12526c8ba287f0fb0b2f7b7e23ab4a | b9e4a9bc2fe1ce9fa666cfccbbbcab02 |
| de465aad6cde9f0ce30fce0157bc18abf5a60d40 | f694b18d951e940ba32d14dc2f4811f7 |
| e114f643805394caece2326fb53e5d3a604a1aa9 | c16664d7c95a929ff06a185cf0fc9479 |
| f28025717f9db8a651f40c8326f477bf9d51a10f | 3b9e07f398c6d81e253f9a7ab9c16fcb |
| 1f29b00c18bc0b7e1dfee5e79f8111da09f8fab8 | c4add798752331c36e8f2ff36da3b233 |
| a02730f734032ed0f3b3705926b657aa4b88d720 | 2465350375866445b20c924a963c6c46 |
| c70fdf4362eb56032793ab08e6aeb892f1bd4a9b | 85b6561bdeff6a833399d75ecdbdfd3b |
| e951b889aabca7ee5b0ff9d06a057884ed788b70 | eb6b377af3ac7fa84bc5b3d75842b208 |
| 00a20cf506e169b99e75e937e55c4b156a56304a | f162dd73dd542c9376947bb530e5ad59 |
| 05138ad6617654e381b42ae37e1bf6bc552cd662 | 53e20cb4b5c21e0f30a7685fae4afa6f |
| 083e7453a1800ce808a38bda2f2d9344f1e6aff9 | a49b906b3263584c506910c18e0edf75 |
| 08713549eca50a3f4ee8c4dce32e713da1952423 | 5251b71bb229ecf6b853aa8b8b8be587 |
| 10b3b243fcdd5368c13fbe84abbff7af0c13df51 | 1838a37acee79e5a94f4782f477863bc |
| 148ed372fbf0b3bc19cc5c71977f61b8e41eb2da | f3e73469c40e5ba8e475a17bd9fe2299 |
| 14a87488243bf253f8165d4b42f4b739407c9906 | ab8e06eded2ae033bbf76d043838dbd9 |
| 19c9b3c9d0423c1817e165fd8315ce0a82034336 | c3e2d63b8b4fb5dfd4db15e7a968958c |
| 1a687586039804c905759e6bdc9fb16ab4a05741 | fecc2ca8ac04e895f75c83df6f27ef8b |
| 1fc6a6a296103446edb51f5aba03f294a01ebc07 | b92227f95099b382bfd0478e07a998bb |
| 22bd2457a284ac88963e6e87eafbb7f7060605c6 | dd03a3b55d2c5eaae3f155ced8376c26 |
| 2cbd24473f08bdce53a9ccc566ce817ea74e672f | f790aee82921c2ee805cfdeec3b1b11a |
| 3c8fc04ef41341ed60410959d7f9266e075a0c94 | 089babe81a97ef13716b42a7a9cc55ff |
| 3dd4211432c79afa0534da3a88a6caab527282b0 | d67b7d5d8c207124846dcaf4f3d15276 |
| 3ec7e1274fd4f51deff02b51937953327034f5d6 | 7ff10d83752672d3c224be696ea3646b |
| 40a97e141613e90907ed4dfa9c648e9ac05c5939 | a036de56608734cda935d4de0b5c65f8 |
| 447c5949a04436f1ac479ea391a8cac38456bf8b | 363bfbcc7bf3f262ccfecebc0f13e9a1 |
| 449bcac2b26d632d5a1d4f38b80349a6a440050b | 37b570291645f0835f3e460ffab83286 |
| 4a9222757521855b9f6b6ab35583f2bf629c53e8 | 4e13435d6acc8093074aa48600e0ce2a |
| 4d0b8212ab2a4631d2dc1a75f29ba786a69f7b2e | 5f016b11b5343467e7dd36858db252dc |
| 5028e9ddac3eb80dd57b3fd0b1943b200a5af8d0 | 5de38e41fdec25befe1b9a63309c2042 |
| 6a3b6bc02121e7849f380c6420431e6165a5d5fc | 63881570b80024a59308a5b470ec7715 |
| 6b464209db5802fbc510918c0cc5cc009cc8e966 | 36b20da1c4f714c190de11986037a1f2 |
| 7185a2eb6eb6873f82986c1e502678352ba1811b | bd754fbc7939f8ca48d3c24b3215888a |
| 75f8171a4636e2a518ae6709b3e86875f31ede59 | 7660eaa799fe99e9271eaf91506046d5 |
| 7cece65179f21ea4d7e6e4778b0175418eb10171 | 557b7fc52a0f0a4c41925168d81fe9f8 |
| 7daedd153efa323eba2a22b843d400e515cf2e12 | 65f751f893fbb3862cd261941a2a5c7f |
| 8751e7ca88e5c56ac928c70792e1fd33a6824d73 | 2f24c610a8746307d4d332261202fb3c |
| 9b3b2270a7b1c6cd29ef6df13d9a2260b597f65f | 599f940d6dcb152dc8481a616c22a985 |
| 9cadbd741f6e7547b0e6db38b47485dfd2a42948 | 60ec31b7be541e9c11603d5df00deee5 |
| 9d62d9ea9ed7f49bcde0aef15bdba65888af737e | 53bd91e111939a7c0a2ac2b53c14d009 |
| a1feed5da7c9363e3a5c67912c6a6d34c0f32997 | 3e98c87dd5be4dee49975706cd3a4d3f |
| a9a94ec7a6d06e5e44199160f756c7f728ca60b0 | e2bea85309f3aff57f07a380980b1eb2 |
| a9d71b86f4f0b356fd30d191692b805cb81d7e52 | 0816434b07eb612693aa2520971d52be |
| ad8be4808f7dd910cec11d7eed88933e3f50132a | 7287f328f3acb1774ecc42606e2da598 |
| c1c2c0630bbc8590e0f80e3bcf8c4d81de695284 | f753a56569aecaf03d1849a7de3bb210 |
| c2861ae327abe194a39775f9dcbddf816eb3385f | 05ad4e30b021e5dd5f895c3f43d93190 |
| c66fef5b2da022003386a3425c95adcf91bdacd4 | e66769ae52200524398cb720df2e19b6 |
| c73ed38e8c9687add687ff7ef4639740f2f1a4a4 | 6ec3bf594a30c3a6b0ae217be13c8ad1 |
| d7a69969f151fd1a712501a76f584580f3eab8a3 | e1759eb35c1e919e9f69438041356d06 |
| df0d85540e6d27858c7a750c11ead6c2cfc53e07 | e93e2de048edb4222e0197286bc869a1 |
| e2164b84808360299fee0ce3c303d9af1cfce8b2 | 01e21ae0359c1d14ab625ca65bb9609c |
| e893136fda499d4534f9968eea14a39f6aabc9bf | 002aca476813f1f4329caa15ea1ce033 |
| ecd0361847c99008c1f181378ae99fb168463eed | 87d16754bffc4a8a610b447098ba1298 |
| f09021108fde30a9d51d0d47a02cf8ef24ef2e5a | c86a7448792987d278eb2c84ff9748e5 |
| fb77bce6ace6f6c506f5ae006fddd1a0b2e557da | 758dfba0cdc2614f93a33188a17de1f5 |
| fde1c0fa8a8ffc6ed704d4e082eb4ecba392d379 | 82dc3f3876155fa6a60b1449cb34c6e8 |
| 6143dcccad903dc506c625137f91307d2bdf98f0 | 3e06b055356a294bf211c09333b46b9a |
| c743246efb9ac2b8d3c75a24a9f6816ef44c8b83 | 94de67cc4355093aa5aecfb67bccd665 |
| 04c5910d267078d47d4b90ff07d7b6ab1ec1e76f | 46c3fd630fc72ac9c6a7a53d9dac30ae |
References and Resources
https://cyble.com/blog/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/