New macOS Malware for Sale on Telegram Steals Usernames, Passwords, Files + More

Apple’s macOS operating system has traditionally been considered safer than Windows when it comes to being a target for malware authors; however, that’s changed as the Mac platform has become more popular due to the increased sales of Mac laptops and desktops over the last decade or so.

A new piece of Mac malware is now out in the wild, readily available on Telegram as a $ 1,000-per-month software rental tool. The new malware, which sports the moniker of “Atomic macOS Stealer (AMOS),” was recently discovered on Telegram by Cyble Research. It’s designed to purloin sensitive information from a Mac’s hard drive, including usernames, passwords, and other valuable information.

An unknown malware author created the Atomic macOS Stealer and is reportedly still working behind the scenes to “improve” it and make it more effective. The version of AMOS that’s currently available can access desktop and documents folder contents, system information, keychain passwords, and the Mac system password.

The malware targets multiple browsers — including Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, Yandex, and Vivaldi — extracting cookies, wallets, auto-fill info, passwords, and credit card info. The malware also targets crypto-wallets, such as Electrum, Exodus, Atomic, Binance, and Coinomi.

The AMOS malware doesn’t stop there, though, as it also targets the Keychain macOS password management tool, extracting information from the victim’s Mac laptop or desktop. Keychain is designed to allow users to securely store sensitive information, such as passwords, credit card information, website login information, and more — and it’s often synced from a user’s iPhone and iPad via iCloud.

Attackers using AMOS can control the malware via a web panel, allowing them to easily manage their targets. The web panel also includes tools to allow hackers to brute-force private keys. The malware and its accompanying service are available for rent on Telegram for anyone willing to pay a $1,000 per month fee.

The malware is installed on a Mac when a user opens a .dmg file and installs an app containing Atomic macOS Stealer. Once installed, the malware begins digging in search of sensitive information, collecting it, archiving it in a .ZIP file, and sending it to a remote server.

The malware uses a  fake system prompt to gain access to the Mac system password while also requesting access to files located on the Desktop and in the Documents folder.

Users can easily avoid infecting their machine with the malware by simply not opening up the .dmg file and installing the payload. As usual, the standard warning applies here about not installing untrusted software from unverified sources; the safest approach is to install software only from the Mac App Store, where apps are vetted before they’re released. Mac users should also always use strong and unique passwords, as well as multi-factor authentication and biometric authentication whenever available.

Users should also never click links in emails and messages and also avoid opening any attachments in emails. They should also always carefully consider why an app may be requesting access to data before granting it permission, and they should keep their apps and operating systems updated to the latest version. Personally, I would also recommend investing in malware protection, such as that offered by Malwarebytes, which is this writer’s personally preferred method of protection.