A new information thief has arrived on the dark web. Known as Atomic Stealer (AMOS), this information stealer malware is designed for a phishing campaign associated with the rise of dead cookie restoration and Xehook Stealer.
Cyble Research and Intelligence Labs (CRIL) recently discovered a campaign in which an updated version of AMOS Stealer was being deployed through deceptive websites masquerading as legitimate Mac applications.
Although it has been distributed through Google Ads in the past, the new version of Atomic Stealer is published on websites such as Parallels Desktop, CleanMyMac, Arc Browser and Pixelmator.
The Complex World of Atomic Stealer: Recent Updates and Features
The continued evolution of AMOS, marked by frequent updates, highlights the developer’s commitment to refining its features to malicious purposes. The malware expanded its reach across multiple browsers, allowing it to extract autofills, passwords, cookies, and financial information from various wallets. Additionally, AMOS goes beyond data theft, offering additional services such as a web panel, MetaMask brute forcing, crypto verification, and a DMG installer.
According to CRIL, an important development in the AMOS saga is its new ability to re-enable expired Google Chrome cookies. This is a transformative trend in the information theft market, providing malicious actors with a powerful tool for prolonged unauthorized access.
The release of a free code on a cybercrime forum to restore expired cookies has raised concerns among researchers, as it opens the door for stealthy bad actors to incorporate this method into their malware payloads.
Xehook Stealer: the quickly adaptable information thief
On January 20, 2024, Xehook Stealer appeared on a cybercrime forum, demonstrating rapid integration of the cookie reactivation feature in 2-3 days. This rapid adaptation by Xehook Stealer highlights a growing trend among InfoStealers, as threat actors exploit the new cookies method to enhance their malicious capabilities.
The analysis also revealed a potential link in campaigns or threat actors (TAs), as all AMOS thief payloads share a common command and control (C&C) center, identified as “5.42.65.108.” This C&C server had already been documented in a report on Atomic Stealer by Malwarebytessuggesting a correlation between these malware payloads.
To obtain deeper insights, CRIL conducted a comprehensive technical analysis of AMOS, focusing on its initial infection, system information collection, and browser data extraction. AMOS spread via deceptive sites such as parallelsdesktop.pro, cleanmymac.pro, arcbrowser.pro and pixelmator.pics.
Technical details of information thieves
The thief uses a new encryption method to hide the strings in the file, dynamically decrypting and recovering the actual strings at runtime. Additionally, it uses system_profiler tool to collect detailed information about the victim’s identity. Mac computerincluding software, hardware and display details.
AMOS targets a variety of Chrome-based browsers, including Safari, Chrome, Brave, Edge, Opera, OperaGX and Vivaldi. The malware extracts sensitive data from specific directories, such as cookies, network/cookies, connection data, and web data. Additionally, it retrieves data from Mozilla Firefox, including information from files such as cookies.sqlite, formhistory.sqlite, key4.db and logins.json.
The thief initiates the extraction of information related to crypto wallets, targeting wallets such as Electrum, Binance, Exodus, Atomic and Coinomi. Additionally, it recovers the password linked to the “Chrome” label from the macOS keychain, specifically targeting the Google Chrome app.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only and users take full responsibility for their reliance on it. The Cyber Express assumes no responsibility for the accuracy or consequences of the use of this information.