Atomic macOS Stealer leads sensitive data theft on macOS

    Thursday, September 12, 2024 In: Threat Research Print

    Date: 09/10/2024

    Severity: High

    Summary

    Historically, macOS was thought to be less vulnerable to malware than Windows, partly due to its smaller market share and built-in security features that forced malware developers to use unconventional methods. However, this perception has shifted over time. Mainstream malware is now increasingly targeting macOS, with infostealers being a notable example. Our data shows that stealers make up over 50% of macOS detections in the past six months, with Atomic macOS Stealer (AMOS) being one of the most prevalent families.

    Indicators of Compromise (IOC) List

    Domains/URLs

    nextnovatech.com

    wooofi.com

    slackcomtop.aab-e-pak.com

    slackforbusiness.net

    slackforbusiness.net/api.php

    slackforbusiness.net/main.php

    macpaw.us

    Hash

    01082cd4733e5f3e2c3f642fa6c0afb5a9489d39ff26a35549263fc0e02ebad3

bda2503fc02b11258399cfabd0778a997654b5bd7d30e5e3f5bef54a74b914e1

C43e506c9b964dddf6fd784bf0cc78b4a2396f47257361dc22e1070e249eae16

4dce8b3beba71b8b44b6576ff2497ed68c6fafebd046822f0d60f8758238e900

564b21c293bc9d0885dc7a87dbf488a497c98d2103d91f5bbcfdb476eb8b6f4c

b351e3f475681ab2e8db5b2bbd2beaf26e5b4fd082ca08eba6fffbc76370113c

8891e7562eb4db253a8582376083ca99b19457680f9d36a5ba4108790740785e

716778bab5fb2c439a51362be5941a50d587714d58a6faa39eefa96aa79c1561

d23491dd351f43f0efad5cee2be80c4049349a7695c0e7de1de632c791356183

7bcfcc90d0bd6c85b5b1cc9f287e161020571a0418afb50f2dd67685e9d3a4fc

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "slackcomtop.aab-e-pak.com" or url like "slackcomtop.aab-e-pak.com" or userdomainname like "nextnovatech.com" or url like "nextnovatech.com" or userdomainname like "wooofi.com" or url like "wooofi.com" or userdomainname like "slackforbusiness.net" or url like "slackforbusiness.net" or userdomainname like "macpaw.us" or url like "macpaw.us" or userdomainname like "slackforbusiness.net/main.php" or url like "slackforbusiness.net/main.php" or userdomainname like "slackforbusiness.net/api.php" or url like "slackforbusiness.net/api.php"

    Detection Query 2

    sha256hash IN ("4dce8b3beba71b8b44b6576ff2497ed68c6fafebd046822f0d60f8758238e900","bda2503fc02b11258399cfabd0778a997654b5bd7d30e5e3f5bef54a74b914e1","01082cd4733e5f3e2c3f642fa6c0afb5a9489d39ff26a35549263fc0e02ebad3","b351e3f475681ab2e8db5b2bbd2beaf26e5b4fd082ca08eba6fffbc76370113c","716778bab5fb2c439a51362be5941a50d587714d58a6faa39eefa96aa79c1561","C43e506c9b964dddf6fd784bf0cc78b4a2396f47257361dc22e1070e249eae16","8891e7562eb4db253a8582376083ca99b19457680f9d36a5ba4108790740785e","564b21c293bc9d0885dc7a87dbf488a497c98d2103d91f5bbcfdb476eb8b6f4c","d23491dd351f43f0efad5cee2be80c4049349a7695c0e7de1de632c791356183","7bcfcc90d0bd6c85b5b1cc9f287e161020571a0418afb50f2dd67685e9d3a4fc")

    Reference:

    https://news.sophos.com/en-us/2024/09/06/atomic-macos-stealer-leads-sensitive-data-theft-on-macos/ 

    https://github.com/sophoslabs/IoCs/blob/master/Atomic-infostealer-IOCs.csv 


    Tags

    Malware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.