The Cyble cybersecurity firm alerted the world to a new info stealer on April 26, 2023, named AMOS, for “Atomic macOS Stealer”. Its special feature is in its name: it targets devices that run on macOS. Cyble pinpointed a Telegram channel dedicated to the stealer, and managed to retrieve a sample to analyze it.
Once installed on Mac, AMOS allows attackers to retrieve several sets of data on the infected device. It also infects the most popular web browsers, as well as their extensions.
The stealer’s primary objective is retrieving access to crypto wallets, namely Electrum, Binance, Exodus, Atomic and Coinomi. As far as the OS is concerned, AMOS can also siphon off macOS passwords, various system information, folders and passwords stored in the keychain. As for the browser, AMOS can steal passwords, cookies, info from prefilled forms and payment info.
According to Cyble, its creators charge a thousand dollars a month for access to AMOS. On April 25, 2023, they launched a malware update, with new features. Researchers have to yet to ID AMOS admins, but they have a solid lead on its source. By analyzing the stealer, Cyble noticed it was sending stolen data to a CSS server linked to a “.ru” address, Russia’s domain extension.