Carder.life

Carder.life (http://txgate.io:443/index.php)
-   Carding News (http://txgate.io:443/forumdisplay.php?f=38)
-   -   Atomic macOS infostealer adds backdoor for persistent attacks (http://txgate.io:443/showthread.php?t=51301694)

Artifact 07-16-2025 08:58 AM
<div id="post_message_801928">

Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems.<br/>
<br/>
The new component allows executing arbitrary remote commands, it survives reboots, and permits maintaining control over infected hosts indefinitely.<br/>
<br/>
MacPaw's cybersecurity division Moonlock analyzed the backdoor in Atomic malware after a tip from independent researcher g0njxa, a close observer of infostealer activity.<br/>
<br/>
"AMOS malware campaigns have already reached over 120 countries, with the United States, France, Italy, the United Kingdom, and Canada among the most affected," the researchers say.<br/>
<br/>
"The backdoored version of Atomic macOS Stealer now has the potential to gain full access to thousands of Mac devices worldwide."<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/July/samples.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Circulation of unique Atomic stealer samples. Source: Moonlock

</td>
</tr>
</table>
</div><b><font size="4"><font color="White">Evolution of the Atomic stealer</font></font></b><br/>
<br/>
The Atomic stealer, <a href="https://www.bleepingcomputer.com/news/security/new-atomic-macos-info-stealing-malware-targets-50-crypto-wallets/" target="_blank">first documented in April 2023</a>, is a malware-as-a-service (MaaS) operation promoted on Telegram channels for a hefty subscription of $1,000 per month. It targets macOS files, cryptocurrency extensions, and user passwords stored on web browsers.<br/>
<br/>
In November 2023, it supported the first-ever <a href="https://www.bleepingcomputer.com/news/security/atomic-stealer-malware-strikes-macos-via-fake-browser-updates/" target="_blank">expansion of 'ClearFake' </a>campaigns onto macOS, while in September 2024, it was spotted in a large-scale campaign by the cybercrime group' <a href="https://www.bleepingcomputer.com/news/security/global-infostealer-malware-operation-targets-crypto-users-gamers/" target="_blank">Marko Polo</a>,' who deployed it on Apple computers.<br/>
<br/>
Moonlock reports that Atomic has recently shifted from broad distribution channels like cracked software sites, to targeted phishing aimed at cryptocurrency owners, as well as job interview invitations to freelancers.<br/>
<br/>
The analyzed version of the malware comes with an embedded backdoor, uses of LaunchDaemons to survive reboots on macOS, ID-based victim tracking, and new command-and-control infrastructure.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/July/evolution.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Evolution of the Atomic stealer. Source: Moonlock

</td>
</tr>
</table>
</div><b><font size="4"><font color="white">A backdoor into your Mac</font></font></b><br/>
<br/>
The core backdoor executable is a binary named '.helper,' downloaded and saved in the victim's home directory as a hidden file post-infection, the <a href="http://moonlock.com/amos-backdoor-persistent-access" target="_blank">researchers say</a>.<br/>
<br/>
A persistent wrapper script named '.agent' (also hidden) runs '.helper' in a loop as the logged-in user, while a LaunchDaemon (com.finder.helper) installed via AppleScript ensures that '.agent' executes at system startup.<br/>
<br/>
This action is performed with elevated privileges using the user's password stolen during the initial infection phase under a false pretext. The malware can then execute commands and change ownership of the LaunchDaemon PLIST to 'root:wheel' (superuser level on macOS).<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/July/backdoor,exec.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

The backdoor execution chain. Source: Moonlock

</td>
</tr>
</table>
</div>The backdoor allows the threat actors to execute commands remotely, log key strokes, introduce additional payloads, or explore lateral movement potential.<br/>
<br/>
To evade detection, the backdoor checks for sandbox or virtual machine environments using 'system_profiler' and also features string obfuscation.<br/>
<br/>
The evolution of Atomic malware shows that macOS users are becoming more attractive targets and malicious campaigns aimed at them are increasingly sophisticated.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/atomic-macos-infostealer-adds-backdoor-for-persistent-attacks/" target="_blank">@ BleepingComputer </a>
</div>


All times are GMT. The time now is 12:51 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.