Rewterz Threat Alert – New Version of Atomic Stealer Uses Encrypted Payload to Target MacOS Users – Active IOCs

Severity

High

Analysis Summary

A new version of the infamous macOS information stealer malware named Atomic (or AMOS) has been detected which uses encrypted payload, showing that the developers of the malware are actively upgrading its capabilities.

Researchers discovered that the stealer malware was updated near the end of December 2023 by introducing payload encryption to make detection a challenge. The Atomic Stealer malware first emerged in April 2023 as a malware-as-a-service offered for a monthly subscription of $1000. It can steal sensitive data from the infected system such as session cookies, Keychain passwords, crypto wallets, files, system information, and the device’s password using a fake prompt.

In the last months, the stealer has been seen being distributed through malvertising and malicious sites that pose as legitimate software and web browser updates. Since the new update to Atomic Stealer, it is now being rented out for a sizable amount of $3000 per month. The threat actors also ran a promotional offer for Christmas by offering the malware for a discounted price of $2000.

Alongside using encryption to evade detection by security solutions, Atomic Stealer campaigns are using Google Search ads that impersonate Slack to deploy the malware itself or a malware loader called EugenLoader (aka FakeBat) depending on the operating system.

A similar malvertising campaign was spotted in September 2023 that utilized a fake website for the TradingView charting platform to propagate NetSupport RAT if it was visited using Windows, and Atomic Stealer when a user visited the site using macOS. When the rogue Slack disk image (DMG) file is opened, it prompts the victim to enter their device’s password results in giving access to the attackers so they can harvest sensitive data that is access-restricted. Another notable feature of the new version using obfuscation to hide the command-and-control (C2) server where the stolen data is exfiltrated.

This shows that stealer malware continues to be a severe threat to macOS users, highlighting the importance of downloading software only from trusted sources and official websites. However, malicious ads and fake websites can be very misleading and it takes a single mistake like entering your password for the malware to gain access to the system and steal sensitive information.

Impact

• Sensitive Information Theft
• Data Exfiltration
• Unauthorized Access

Indicators of Compromise

MD5

• 3aa23026255b3440ef75835af497ccea
• 8a2f7bacd04659f0d838e5b6c892b962

SHA-256

• 49f12d913ad19d4608c1596cf24e7b6fff14975418f09e2c1ad37f231943fda3
• 18bc97e3f68864845c719754d2d667bb03f754f6e87428e33f9c763a8e6a704a

SHA-1

• d81ea08c0af3455f9318eab62a2007821aa7adb6
• e40275b896afac76171183d27b52913c541013a6

Domain Name

• red.seecho.net
• slack.trialap.com
• ads-strong.online

URL

• http://slack.trialap.com/app/Slack-x86.msix
• http://slack.trialap.com/app/Slack-Apps.dmg

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Be vigilant when downloading software and double-check the URL to see if it is legitimate.
• Never download software from untrusted sources.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Develop and regularly update an incident response plan that outlines the steps to take in case of a security breach. Test the plan through simulations to ensure its effectiveness.