Atomic Stealer

Cybersecurity experts reveal that a threat actor is selling a new malware called the Atomic Stealer on the messaging application, Telegram. This malware is written in Golang and is specifically designed to target macOS platforms and can steal sensitive information from the victim's machine.

The threat actor is actively promoting the Atomic Stealer on Telegram, where they recently highlighted an update showcasing the latest capabilities of the threat. This information-stealing malware presents a serious risk to macOS users, as it can compromise sensitive information that is stored on their machines, including passwords and system configurations. Details about the threat were revealed in a report by malware researchers.

The Atomic Stealer Possesses a Wide Range of Threatening Capabilities

The Atomic Stealer has various data-theft features that enable its operators to penetrate deeper into the target system. When the unsafe dmg file is executed, the malware displays a fake password prompt to trick the victim into providing their system password, which allows the attacker to gain elevated privileges on the victim's machine.

This is a necessary step to access sensitive information, but a future update may use it to change crucial system settings or install additional payloads. After this initial compromise, the malware tries to extract the Keychain password, which is macOS' built-in password manager that stores encrypted information such as WiFi passwords, website logins and credit card data.

The Atomic Stealer Targets Over 50 Crypto-Wallets

Once Atomic has breached a macOS machine, it can extract various types of information from the software on the device. The malware targets desktop cryptocurrency wallets like Electrum, Binance, Exodus, and Atomic itself, as well as over 50 cryptocurrency wallet extensions, including Trust Wallet, Exodus Web3 Wallet, Jaxx Liberty, Coinbase, Guarda, TronLink, Trezor Password Manager, Metamask, Yoroi and BinanceChain.

Atomic also steals Web browser data, such as auto-fills, passwords, cookies, and credit card information from Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera, and Vivaldi. Moreover, it can collect system information like the model name, hardware UUID, RAM size, core count, serial number and more.

Additionally, Atomic enables operators to steal files from the victim's 'Desktop' and 'Documents' directories, but it must first request permission to access these files, which can provide an opportunity for victims to detect the malicious activity.

After gathering the data, the malware will compress it into a ZIP file and transmit it to the Command-and-Control (C&C) server of the threat actor. The C&C server is hosted at 'amos-malware[.]ru/sendlog.'

While macOS has historically been less prone to harmful activity than other operating systems like Windows, it is now becoming an increasingly popular target for threat actors of all skill levels. This is likely due to the growing number of macOS users, particularly in the business and enterprise sectors, making it a lucrative target for cybercriminals seeking to steal sensitive data or gain unauthorized access to systems. As a result, macOS users must remain vigilant and take necessary precautions to protect their devices from these threats.