Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Hundreds Targeted in New Atomic macOS Stealer Campaign

Between June and August, over 300 entities were targeted with the Atomic macOS Stealer via malvertising.

macOS malware

CrowdStrike warns of a spike in attacks aimed at infecting macOS users with a variant of the infamous Atomic macOS Stealer (AMOS) information stealer.

Between June and August, the cybercrime group Cookie Spider, which operates the AMOS malware-as-a-service (MaaS) enterprise, used malvertising to direct victims to fraudulent help websites and trick them into installing the malware.

The campaign, CrowdStrike says, targeted users who were searching for solutions to common macOS issues, and relied on promoting fraudulent advertisements for websites where victims were instructed to execute a malicious command on their systems.

The command would fetch a Bash script from a remote server, to capture the victim’s password and download an executable from another remote location.

Dubbed SHAMOS, the payload is a variant of AMOS that contains anti-VM checks to prevent execution in a sandboxed environment, and which can perform reconnaissance and data collection tasks.

The malware searches the system for files that contain credentials, data from Keychain, AppleNotes, browsers, and known cryptocurrency wallets, and attempts to exfiltrate them to a remote server, packed in a ZIP archive.

Advertisement. Scroll to continue reading.

Additionally, SHAMOS can download and execute payloads, including a botnet module and a fake Ledger Live wallet application.

The malvertising campaign targeted users in Canada, China, Colombia, Italy, Japan, Mexico, the US, the UK, and other countries, but was not served to Russian users.

CrowdStrike’s investigation revealed that the cybercriminals likely impersonated a legitimate Australia-based electronics store in their Google Advertising profile.

“This campaign underscores the popularity of malicious one-line installation commands among eCrime actors. This technique allows them to bypass Gatekeeper security checks and install the Mach-O executable directly onto victim devices,” CrowdStrike notes.

Related: Homebrew macOS Users Targeted With Information Stealer Malware

Related: High-Value NPM Developers Compromised in New Phishing Campaign

Related: North Korean Hackers Target macOS Users

Related: Digium Phones Targeted in Cybercrime Campaign Aimed at VoIP Systems

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.