Historically, there existed a perception that macOS was significantly less susceptible to malware compared to Windows, largely due to its Unix-based foundation having fewer entry points for malware developers to exploit, thus requiring alternative tactics to breach the system’s security. The initial assumption was that the system’s vulnerability lay in its susceptibility to unusual, unorthodox attacks and malicious software. However, over time, that’s modified. Mainstream malware has begun targeting macOS with increasing frequency, although it still lags behind Windows in terms of volume and severity, making malware like this a prime example of that trend. Within our telemetry data, malware stealers account for more than half of all macOS detections in the past six months, with Atomic macOS Stealer (AMOS) being a particularly prevalent type.
The AMOS malware, specifically designed to pilfer sensitive information – including cookies, login credentials, auto-fill data, and even cryptocurrency wallet contents – from compromised systems, then transmits it back to an attacker. When sensitive information is compromised, a malicious actor may exploit it for their own gain or, more likely, sell it to other threat actors on illicit markets.
The black market for compromised credentials, colloquially referred to as “logs” among cybercriminals, has seen the value of AMOS triple in the past year alone, underscoring the importance of prioritizing macOS users and the significance this presents to malicious actors.
While AMOS may not be the sole participant in town – rivals are embodied, its impact is likely one of the most outstanding, so we’ve compiled a concise overview of what AMOS is and how it operates, to enable defenders to gain traction against this increasingly pervasive malware.
AMOS is marketed and offered online. As of May 2024, the pricing has been revised to $3,000 per month, a significant increase from its initial offer in May 2023, which was priced at $1,000 per month (a “lifetime” license option, worth undisclosed, remained available). Within the screenshot accompanying this text, it is evident that the AMOS advertisement showcases an extensive list of targeted browsers, capable of compromising sensitive data such as cookies, passwords, and autofilled information; cryptocurrency wallets; and detailed system specifics, including the Apple Keychain and macOS password. As depicted in the accompanying screenshot, the AMOS advert prominently showcases a comprehensive list of targeted browsers, capable of compromising sensitive data such as cookies, passwords, and autofilled information; it also highlights cryptocurrency wallets and reveals detailed system information, including the Apple Keychain and macOS password.
From our telemetry data, many threat actors are exploiting targets with AMOS through a tactic called “online commercial framework abuse,” whereby they manipulate legitimate e-commerce platforms to redirect users to malware-hosting sites. Alternatively, attackers leverage search engine optimization poisoning by manipulating algorithms to rank malicious websites at the top of search results. As unsuspecting users search for a specific software program or utility, the malicious actor’s website tends to dominate the search results – offering a download that appears authentic but actually surreptitiously installs malware on the user’s device.
Some legitimate functions that AMOS has emulated in this approach include: a productivity tool, a challenge management application, a team collaboration platform, a task automation system, and a to-do-list software.
Despite this, AMOS’s malvertising also permeates social media platforms. We detected a sophisticated malvertising campaign targeting X.com users, where a fake installer was successfully disguised as the legitimate “Clear My Mac X” software from macPaw, housed on a convincingly replicated website at macpaw[.]us that eerily mimicked its genuine counterpart.
Following an inquiry into a buyer-affected incident related to AMOS, our investigation revealed a concerning trend: malicious actors have publicly shared AMOS binaries on GitHub, likely as part of a sophisticated malvertising strategy.
Furthermore, our investigation uncovered numerous open directories harbouring instances of AMOS malware, highlighting the need for prompt remediation measures to mitigate potential threats. Some domains have been compromised to distribute Windows malware.
The AMOS C2 panels are safeguarded by secure credentials. Within the provided screenshots, panels offer a simplified representation of campaigns and exfiltrated data, catering to the needs of threat actors.
As discussed previously, the Advanced Military Operations System (AMOS) was initially introduced to the public in April 2023. Since its inception, the malware has evolved to cleverly bypass detection and increasingly confound evaluators. At present, the malware’s performance names and strings remain obfuscated.
The researchers have observed that recent AMOS variants employ a Python dropper, with the attackers migrating key elements such as strings and capabilities to this dropper instead of the primary Mach-O binary, likely designed to evade detection.
Recently, AMOS distributors released a commercial claiming that a newly developed malware model is specifically designed to target iPhone users. Despite this, no field-tested examples exist yet, making it impossible to confirm whether an iOS version of AMOS is commercially available as of our knowledge cutoff.
One likely motivating force behind this announcement is the EU’s Digital Markets Act, which requires Apple to implement from iOS 17.4 onward. As developers are permitted to release apps directly, malicious actors could exploit this loophole by applying the same tactics currently used against macOS users to distribute an iOS version of AMOS, potentially compromising vulnerable devices.
As demonstrated by our telemetry data over the past year, threat actors are increasingly focusing on macOS, particularly with regards to infostealers, which has led to a concerning surge in the effectiveness of Advanced Mobile Operating System (AMOS) malware. When installing software, it is crucial to obtain it exclusively from reputable sources and exercise extreme caution when prompted for passwords or elevated system access through pop-up windows.
All stealers we’ve observed so far are being distributed outside of official Apple retailers, without cryptographic verification from the company – a tactic that relies on social engineering tactics discussed earlier. Customers are warned off by requests for passwords and sensitive information entry, which should sound alarm bells, especially when it’s a third-party software asking for these permissions – although be aware that in macOS 15 (Sequoia), due to being launched in fall 2024, it will become even harder to override Gatekeeper. Instead of having Control-click options, users must make changes to the system settings for each app they want to open.
By design, most web browsers store encrypted autofill data and its corresponding decryption keys in a fixed location, making them vulnerable to theft by infostealers exploiting compromised systems. Implementing encryption primarily reliant on a strong password or biometric authentication can effectively safeguard against potential attacks.
You’ve likely come across a macOS software program that strikes you as questionable, so what do you do?
Sophos safeguards against malware variants with descriptive names beginning with the designations OSX/InfoSteal-* and OSX/PWS-* to effectively identify and counter these stealthy threats. IOCs (Indicators of Compromise) related to these stealers are typically discovered through a combination of network traffic analysis, system logs, and endpoint detection techniques. By identifying and analyzing suspicious activity patterns, security teams can detect and respond to potential attacks in near real-time. Some common IOCs include DNS requests to known command-and-control servers, anomalous network connections to exfiltration points, and registry key modifications indicative of malware persistence.
We would like to express our gratitude to Colin Cowie, a valued member of Sophos’ Managed Detection and Response team, for his assistance in crafting this content.
