Malware for macOS offered on Telegram for $1,000 a month

A new malware for macOS called Atomic macOS Stealer (AMOS) offers a wide range of data-stealing capabilities, targeting passwords, files and other types of information. Researchers at threat intelligence firm Cyble analyzed an AMOS sample that was recently uploaded to VirusTotal and had no detections on the malware analysis platform at the time of its discovery — it was detected by an anti-malware engine.

According to Cyble, the malware, advertised on a Telegram channel, is offered for $1,000 a month. Its author claims that it can steal all Keychain passwords, complete system information and files from compromised computer. It also claims that it can steal passwords, cookies, cryptocurrency wallets and payment card data from browsers such as Chrome, Firefox, Brave, Edge, Vivaldi, Yandex and Opera. Also, it can steal cryptocurrency wallets outside of web browser and browser extensions.

Malware users are provided with a web-based management interface hosted on a .ru domain, and filtered data can also be sent to specific Telegram channels. The malware is delivered as a .dmg file and when first run, displays a fake prompt to trick the victim into handing over the macOS system password.

A Trellix researcher also analyzed the malware and noticed that an IP address used by AMOS may be linked to Raccoon Stealer, malware previously linked to Russian and Ukrainian threat actors.

It’s unclear whether the malware is signed and how much effort is required to bypass macOS security features and run it on a system. In many cases, malware designed to run on macOS may appear to have a lot of features, but actually running it on target systems is no easy feat.