Atomic Stealer Malware Returns in New Disguises, Targets Mac Users’ Sensitive Data

Atomic Stealer Malware
Fake “File Juicer” and “Debit & Credit” app installers

In the continually evolving landscape of cyber threats, Mac users are facing renewed challenges from an insidious form of malware known as the Atomic Stealer, or AMOS. Originally identified in various stages throughout 2023 and early 2024, this malware is particularly designed to harvest sensitive information from macOS systems, including passwords, cookies, autofill data, and cryptocurrency wallets. The latest findings from Intego’s cybersecurity team have exposed several new variants of AMOS, demonstrating an alarming adaptability and cunning in this malware family.

Fake “File Juicer” and “Debit & Credit” app installers | Image: Intego

Intego’s recent report indicates that AMOS continues to be distributed through the guise of Trojan horses, cleverly mimicking legitimate applications. The malware has recently been found masquerading as popular Mac apps such as File Juicer, Debit & Credit, and the Notion productivity software, as well as the Parallel NFT trading card game. These Trojans are distributed via DMG files that, when mounted, reveal applications which appear legitimate but are designed to deploy the malicious payload once executed.

Fake “Parallel” NFT TCG game | Image: Intego

Deceptive Installers and Fake Applications

  • File Juicer & Debit and Credit Apps: One variant of AMOS presents itself as an installer for File Juicer, an app typically used for extracting files from various document formats. Another mimics Debit & Credit, a personal finance application. Both these fake installers trick users into downloading what they believe are legitimate applications, only to infect their systems with malware.
  • Parallel NFT TCG Game: Given the rising interest in NFTs and blockchain technology, it is unsurprising that AMOS has also taken on the form of a game related to this field. A fake app called “WorldParallel” claims to offer access to a digital trading card game, tapping into the lucrative and often less scrutinized market of digital collectibles.
  • Notion Productivity Software: Notion, widely used for productivity and organization, has once again been impersonated by AMOS. This is not the first time malware developers have leveraged the popularity of Notion to spread AMOS, highlighting the ongoing risk to users who might assume Google Ads are a safe source for downloading software.

The primary infection vector for these new variants of AMOS continues to be malicious Google Ads that link to counterfeit homepages. These ads often appear at the top of search results, misleading users into believing they are accessing legitimate sites. This tactic underscores the effectiveness of search engine poisoning, where threat actors exploit the trust users place in top-ranked search results.

One notable aspect of these new AMOS variants is their method of embedding secondary payloads within the initial dropper application. While some payloads are unobfuscated and easily detectable, others use Base64 encoding in an attempt to evade detection by antivirus programs. This tactic suggests a shift towards more resilient methods of maintaining the malware’s presence on infected systems, even as cybersecurity defenses evolve.

Intego’s insights emphasize the need for users to reconsider their online behaviors, particularly the common practice of relying solely on search engines like Google to find software. Instead, Intego suggests bookmarking and directly visiting trusted sites to avoid falling prey to these sophisticated scams. Additionally, recognizing the characteristics of legitimate downloads and installers can help users identify and steer clear of potential threats.