Warning for Mac Users: Malvertising Campaign Distributes Atomic Stealer macOS Malware

A fresh malvertising campaign has emerged, distributing an updated iteration of macOS stealer malware named Atomic Stealer (or AMOS). This development suggests active maintenance by the malware’s author.

Atomic Stealer, a readily available Golang malware offered at a monthly rate of $1,000, first came to attention in April 2023. Subsequently, new variants, equipped with an expanded set of information-gathering capabilities, were discovered in the wild, targeting gamers and cryptocurrency users.

This malvertising campaign primarily leverages Google Ads as the distribution vector. Users searching for popular software, whether legitimate or cracked, on search engines encounter deceptive ads redirecting them to websites hosting rogue installers.

In the latest campaign, a fraudulent TradingView website prominently displays three download buttons for software catering to Windows, macOS, and Linux operating systems.

The macOS payload, labeled “TradingView.dmg,” represents a new version of Atomic Stealer released in late June. It is packaged within an ad-hoc signed app that, upon execution, prompts users to enter their password on a fake dialog box, subsequently harvesting files and data stored in iCloud Keychain and web browsers.

The ultimate objective of the attacker is to evade Gatekeeper protections in macOS and transmit the stolen data to a server under their control.

This development aligns with the growing trend of macOS becoming a viable target for malware attacks. Over recent months, several macOS-specific info stealers have surfaced in crimeware forums, capitalizing on the widespread use of Apple systems in organizations.

It’s essential to note that Atomic Stealer is not the sole malware distributed via malvertising and search engine optimization (SEO) poisoning campaigns. Evidence has emerged of DarkGate (also known as MehCrypter) using the same delivery method.

Furthermore, new iterations of DarkGate have been employed in attacks by threat actors employing tactics to those observed with Scattered Spider, as highlighted by Aon’s Stroz Friedberg Incident Response Services last month.