Crypto wallets are targeted by a new “stealer” on Mac

New “stealer” malware was spotted this spring. It targets computers running macOS and seeks to steal a lot of information, including cryptocurrency wallets.

Its name leaves little doubt as to its targets: computers running macOS. This is what the AMOS malware, an acronym for Atomic macOS Stealer, is aiming for. No need to be perfectly bilingual to guess the purpose of this program: it is to steal information on the victim’s machine.

This AMOS is obviously a newcomer to the malware galaxy. Its detection, in any case, dates from this spring. In a blog post dated April 26, staff at Cyble, a cybersecurity firm, say they unearthed a Telegram chat channel in which AMOS was featured.

Steal crypto, passwords, data…

The objective of this “stealer” is to recover valuable data on the infected workstation. In particular, AMOS is able to attack wallets containing cryptocurrency. Cyble cites Electrum, Binance, Exodus, Atomic, and Coinomi by name. But the tool has more extensive capabilities, allowing it to take information from elsewhere.

Cyble mentions the macOS password, information related to the system, files on the desktop or in the OS documents, but also passwords stored in the keychain. As for installed web browsers, AMOS is also proving to be formidable: passwords, cookies, data for pre-filling forms, and payment information are just as exposed.

“The malicious actor behind this thief is constantly improving this malware and adding new capabilities to it to make it more effective. The latest malware update was highlighted in the April 25 Telegram post, showcasing its latest features,” Cyble wrote in his review.

macOS, Apple’s operating system, is targeted by AMOS.

A screenshot showing the ad message associated with AMOS shows that the tool can tap into Google Chrome, Firefox, Brave, Microsoft Edge, Vivaldi, Yandex, Opera, and OperaGX — which are the major web browsers. It can target cryptocurrency-related plugins and has additional features to meet specific needs.

“Stealers”, or “info stealers”, are malicious software that makes the news from time to time. Telegram is an essential point of passage to obtain it at a lower cost. AMOS is an example of this: access to the stealer is billed at $1,000 per month, which can theoretically put it within reach of anyone.

Cyble, who got a sample from Amos, was able to break it down to see how it works. Among the observations made by the company, there is the observation that this stealer communicates with a server (command-and-control server) associated with an address ending in “.ru”. The domain is associated with Russia. AMOS sends the stolen data to this infrastructure.


One thought on “Crypto wallets are targeted by a new “stealer” on Mac

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s