The notorious Atomic macOS Stealer (AMOS) infostealer, previously known for its ability to exfiltrate sensitive data from Apple computers, now features a sophisticated backdoor component. This enhancement allows cybercriminals to maintain persistent, remote access to compromised systems, significantly increasing the potential for long-term exploitation.
Persistent Backdoor: A New Level of Threat
Security researchers have observed that the new AMOS variant leverages macOS LaunchDaemons to achieve persistence. By installing itself as a LaunchDaemon, the malware ensures it will automatically execute each time the system boots, making removal more challenging and enabling attackers to re-enter the system at will.
The backdoor grants attackers the ability to execute arbitrary commands remotely, giving them broad control over the infected machine. This includes installing additional malware, deploying keyloggers, manipulating files, and monitoring user activity—all while operating under the privileges of the logged-in user.
Enhanced Capabilities and Global Impact
The latest version of AMOS introduces several advanced features:
- Victim Tracking: Attackers can now assign unique identifiers to each compromised host, streamlining the management and monitoring of their illicit operations.
- Robust Command-and-Control (C2) Infrastructure: The malware communicates with a newly established C2 infrastructure, enabling real-time interaction and persistent management of infected systems.
- Widespread Distribution: Reports indicate that the backdoored AMOS variant has already impacted users in over 120 countries, with significant concentrations in the United States, France, Italy, the United Kingdom, and Canada.
Distribution and Attack Vectors
AMOS is distributed as a malware-as-a-service (MaaS) offering, available for subscription on underground forums and Telegram channels. This model lowers the barrier to entry for cybercriminals and has contributed to the malware’s rapid proliferation.
Initial infection vectors include:
- Cracked Software and Fake Installers: Many users are lured through unofficial software downloads, which are often bundled with the infostealer.
- Sophisticated Phishing Campaigns: Recent campaigns have targeted cryptocurrency owners and freelancers, using tailored phishing emails and fake job offers to trick victims into installing the malware.
Technical Details
Once installed, AMOS exfiltrates a wide range of data, including browser information, saved passwords, cookies, cryptocurrency wallet files, and detailed system information. The addition of the backdoor transforms the malware from a one-time data theft tool into a platform for ongoing exploitation, mirroring tactics typically associated with advanced persistent threat (APT) groups.
Implications for macOS Users
The emergence of a persistent backdoor in AMOS marks a significant escalation in macOS-targeted threats. Users who have long considered macOS to be relatively secure must now contend with malware capable of maintaining a long-term presence and facilitating continuous attacks.
