Atomic Stealer, also known as AMOS, is sophisticated malware that targets macOS users. It is an infostealer malware type designed to collect sensitive information from infected systems for financial gain, identity theft, or other malicious activities. Due to its effectiveness and availability as a Malware-as-a-Service (MaaS) offering on underground forums, AMOS has become increasingly popular among cybercriminals.
This infostealer is designed to extract sensitive information from infected Mac computers, including:
- Account passwords
- Browser data
- Session cookies
- Cryptocurrency wallet contents
- Files from Desktop and Documents folders
Once executed, Atomic Stealer typically prompts for administrative access, attempts to gain persistence, extracts sensitive data, and sends it to a remote server controlled by the attackers.
How Atomic Stealer spread and infect macOS
Atomic Stealer employs various sophisticated techniques to spread and infect macOS systems:
Fake application installers: Cybercriminals create counterfeit versions of popular applications like Tor Browser, Photoshop CC, and Microsoft Office. Users are tricked into downloading these fake installers, typically packaged as disk image (.dmg) files, which execute the malicious payload instead of installing legitimate software.
Malvertising via Google Ads: Attackers exploit Google’s advertising platform to reach potential victims. Malicious ads appear legitimate but redirect users to fake websites hosting the Atomic Stealer malware.
Fake browser updates (ClearFake Campaign): A recent development involves tricking users into downloading fake Safari and Google Chrome browser updates. Users are redirected to a phony update page that mimics official interfaces, prompting them to download and install a malicious .dmg file.
Compromised websites: Attackers inject malicious code into hacked legitimate websites, redirecting visitors to malware download pages or serving malicious ads.
Social engineering tactics: Cybercriminals use fake job postings, fraudulent recruitment ads on gaming platforms, and phishing emails promising lucrative contracts to lure users into downloading the malware.
What to do after the Atomic Stealer attack?
If you suspect Atomic Stealer has infected your Mac, take immediate action:
- Disconnection from the internet prevents further data exfiltration and potential spread to other devices.
- Change all passwords using a clean, uninfected device to change passwords for all your accounts, especially those for financial services and email.
- Contact a professional cybersecurity firm for incident response assistance to contain the threat, eradicate the malware, and develop a recovery plan to restore your systems securely. A digital forensics report can also be requested to help determine the extent of the breach and recover crucial evidence.
- Notify relevant parties, especially if sensitive data is compromised, and inform affected individuals and relevant authorities as required by law.
- After ensuring the system is clean, restore your data from a backup created before the infection.
- Monitor for unusual activity, and check your accounts for suspicious activity that might indicate ongoing unauthorized access.
How to prevent Atomic Stealer
To safeguard your Mac against Atomic Stealer and similar threats:
- Be cautious with downloads: Only download software from official sources like the Apple App Store. Be extremely wary of software offered through ads or pop-ups.
- Verify URLs: Double-check the URL of any website prompting you to download software, especially if you arrived there via an ad.
- Keep software updated: Ensure your operating system and all applications are up-to-date with the latest security patches.
- Use web protection tools: Employ security software that can block known malicious infrastructure associated with threats like Atomic Stealer.
- Don’t open unsolicited messages: Be cautious of unexpected messages offering rewards or asking you to try new software, especially in gaming communities.
- Use strong, unique passwords: Employ a password manager to create and store complex passwords for all your accounts.
- Enable two-factor authentication: Wherever possible, enable 2FA to add an extra layer of security to your accounts.
- Regularly back up your data: Keep regular backups of your essential files in a secure, offline location. Proven Data’s Ransomware Recovery services can be crucial if your backups are compromised.