AMOS (MacOS Stealer)

 In the last week of April 2023, it was reported on twitter, that through a telegram channel a new malware was being offered as “Atomic MacOS Stealer”. Many samples of this malware were found on the internet.

Figure 1 – Atomic MacOS Stealer
Most of these samples were masquerading as an installer of various applications like Tor browser, Photoshop CC, Notion, FL studio.
Figure 2 – Amos DMGfiles masquerading as different applications
These are delivered as a DMGfile(Disk Image) which is the common format for software distribution & installation packages on macOS.
We identified the Tor browser DMG file for the analysis. When we execute the DMG file it gets mounted and we can see the resulting window advises the user to execute the application by right clicking.
Figure 3 – Tor Browser
These fake applications are created by using Appify, which is used to create applications just by having the executable alone. The icons can be customised. That’s why these applications are in different names & having different icons but the same executable.
The contents of the application include a PLIST file, an universal binary which contains both INTEL and ARM executable and an icon. The PLIST file shows this application is made using Appify.
Figure 4 – Contents of the application aka Amos
The universal binary is named as My Go Application.app(which is the default name of the binary when made through Appify), even though it has the extension .app it is just a universal Mach-O binary.
Figure 5 – My Go Application
The application is an unsigned one. The executable is identified as a Go lang based binary.
Figure 6 – Go Lang binary
Below is the section wise size of the binary. It has 3 segments and 20 sections within it.
Figure 7 – Segments and sections
The functions below indicates that it is an info stealer looking for documents, wallets, keychain details, browser and sends it to a C2.
Figure 8 – Stealer functions of Amos
The list of browser data for which it checks the machine are Chrome, Brave, Edge, Vivaldi, Yandex, Opera and Opera GX.
Figure 9 – Targeting browsers
It also looks for cryptocurrency wallets like Electrum, Coinomi, Exodus and Atomic to extract information.
Figure 10 – Targeting wallets
When the application is executed it requests for the machine’s password showing a genuine looking request from system preferences using Osascript.
Figure 11 – Asking user’s password
If we enter nothing for 30 seconds, the empty string will be considered as the default answer and show that we entered an invalid password. The dialog box will keep on popping until the user gives the valid password.
Figure 12 – Osascript used to generate the dialog box
The password is validated using DSCLwith ‘authonly’ flag. DSCL is a command line utility to access and manipulate the directory services databases which store information about the users, groups, and accounts on a system.
Figure 13 – DSCL used to verify the password
Once the password is valid, it executes the above functions we have seen and exfiltrate the data. But before that it drops an executable file ‘unix1’ in the root of the local user directory. The keychain information exfiltration happens through this unix1 binary.
Figure 14 – Unix1 getting dropped in User’s directory
It also would ask permission from the user to access .txt documents from Desktop and Documents folders.
Figure 15 – Accessing desktop and documents folder
Below is the process tree of this stealer.
Figure 16 – Process Tree of AMOS
After the exfiltration, the malware compresses using ZIP and sends it using POST request to its C2. The data is also Base64 encoded.
Figure 17 – POST request to its C2 (94.142.138.177)
This stealer is also advertised on coockie.pro, where the used language is Russian.
Figure 18 – coockie.pro has ad about AMOS
In this site, the capabilities of the stealer and the details about how to get the malware through telegram are mentioned.
Figure 19 – AMOS capabilities
It mentions – “You get access to the Panel and the bot, tell us your Telegram ID and build name [Build ID]. We will give you a build!” probably after the payment(which is $1000 for 31 days).
Figure 20 – Telegram information on how to get the malware
Threat actors targeting macOS users are increasing everyday. So, as a user, one needs to be cautious when executing unknown executables. Users are requested to use a reputable security product such as “K7 Antivirus for Mac” and to keep it updated so as to stay safe from such threats.
Also you can find information on these stealers here and also here.

IOCs

Hash : 6b74d3c2e48721286697f941864536c0
C2 : 94.142.138.177

Comments

Post a Comment

Popular posts from this blog

Ransomed by Warlock Dark Army “OFFICIALS”

  Recently we came across a tweet shared by petikvx . The tweet was on a ransomware family that had the group name similar to the WARLOCK DARK ARMY. The similarities with Chaos ransomware seem to end with the attacker group’s name. Upon analyzing the ransomware from the tweet we suspect both to be very different groups just based on their malware’s attributes. The sample under consideration was compiled using C/C++, in case of Chaos ransomware it is usually .Net. Statically looking at the file we noticed a resource entry under Bitmap with an identifier “14”, while analyzing the file code we noticed that this resource was read and loaded on to the memory. Hence we decided to dump that resource entry. Figure 1: Encrypted blob in resource section Figure 2 : Loading blob into the memory During our code analysis we found this blob was XOR encrypted. The first 16 bytes of this blob acts as the key for XOR decryption and the rest is the data which plays a key role in this ransomware’s in...
Read more

MuddyWater Back with DarkBit

  Recently, we came across a tweet about DarkBit ransomware. An Iranian APT group, named MuddyWater, is reportedly behind the DarkBit ransomware. In this blog we will explore the ransomware’s initial access method, the use of Cobalt Strike and the final ransomware payload. Initial Access Method The initial lure was delivered as an ISO file. Figure 1 – ISOFile The payload included a shortcut file (with a .doc extension) and a zip file. Figure 2 – Contents Inside ISO File The shortcut was using PrintBrm.exe to unpack the HR-Update.zip and run it as shown below. PrintBrm.exe is a windows inbuilt command line tool . Figure 3 – Shortcut File cmd.exe /c xcopy .\HR-Update.zip %TEMP% /h /y && PrintBrm.exe -r -f %TEMP%\HR-Update.zip -d %TEMP%\unzip & %TEMP%\unzip\HR-Update.exe Figure 4 – HR-Update.exe Running HR-Update.exe was a Cobalt Strike beacon. Cobalt Strike, a penetration testing tool, can also be used by attackers for gaining a foothold in the system. The final ran...
Read more