Atomic Stealer Mac Malware Distributed Through Malvertising

A recent malvertising campaign has been detected, distributing an updated version of macOS theft malware known as Atomic Stealer or AMOS, indicating active maintenance by its creator.

Atomic Stealer, a readily available Golang malware for $1,000 per month, initially surfaced in April 2023. Shortly thereafter, new variants with expanded data collection capabilities emerged, targeting gamers and cryptocurrency enthusiasts.

The primary distribution method observed in this campaign is malvertising through Google Ads. Users searching for popular software, whether legitimate or cracked, on search engines are exposed to fake ads that redirect them to websites hosting rogue installers.

In the latest campaign, a deceptive TradingView website prominently features three download buttons for Windows, macOS, and Linux operating systems.

Atomic Stealer Payload Distributed Through File Hosted on Discord

Jérôme Segura, director of threat intelligence at Malwarebytes, explained that both the Windows and Linux buttons lead to an MSIX installer hosted on Discord, which drops the NetSupport RAT.

The macOS payload, labeled "TradingView.dmg," is a new version of Atomic Stealer released at the end of June. It is bundled within a custom-signed application that, upon execution, prompts users with a fake password request, enabling the harvesting of files and data stored in iCloud Keychain and web browsers.

The attacker's ultimate goal is to bypass macOS Gatekeeper protections and transfer the stolen data to a server under their control.

This development coincides with macOS becoming an increasingly attractive target for malware attacks. Recent months have seen the emergence of macOS-specific information theft tools for sale on criminal forums, taking advantage of the widespread use of Apple systems in organizations.