Malicious ads for Atomic Stealer on Mac

Mac users who aren’t particularly educated on the realities of cyber crime have, traditionally, had an air of invincibility about them. “Oh, Macs don’t really get viruses,” they’ll say – sitting in a Starbucks, while logged into their work accounts on an unsecured network. 

But it’s not true that Macs aren’t vulnerable to hacks. By 2020, research by Malwarebytes suggested that Mac devices were facing twice as many threats as Windows devices. And this year, there’s been a growth in the number of Mac users targeted by malicious ads that are designed to spread the Atomic Stealer (AMOS) malware. 

Although the majority of malvertising campaigns continue to target Windows users, a recent report by Malwarebytes found that the AMOS campaign is affecting Mac users too – capitalising on lower vigilance for malicious ad campaigns on Mac and infecting user devices. 

AMOS was first advertised on the dark web in April 2023. It’s a stealer for Mac OS that focuses on crypto assets. It can harvest passwords from web browsers and from the Apple keychain, and includes a file grabber; with an updated version of AMOS released in June this year. 

As BHMEA speaker Graham Cluley noted in this blog post, AMOS has also been advertised on a Telegram channel, and its full suite of features can be accessed by criminals for USD $1000 per month. It’s a fresh example of malware that’s written using Golang (Go). 

Where are the malicious ads appearing? 

AMOS is most commonly distributed via cracked software downloads. Becoming victim through cracked software is easy to avoid if users choose to download software from legitimate sources instead. 

But criminal users of the malware are also creating decoys of legitimate websites to drive downloads, and distributing ads on popular, trusted search engines – notably, Google – to capture victims. They’re running ads that closely match the ad creative of well-known software brands. 

Once downloaded, AMOS includes instructions on how to open it in order to bypass Mac’s GateKeeper, and the malware is bundled in an ad-hoc signed app. It’s not an Apple certificate so it can’t be revoked. Once the payload is executed, it’ll repeatedly prompt the user for their password – and it won’t stop until the victim types the password in, in an attempt to end the relentless prompts. 

How to protect against AMOS on Mac

The first step is awareness. Mac users can be targeted by malicious advertising, and must be educated about the realities of malware for Mac devices. 

The ads for AMOS are really hard to spot – because they imitate trustworthy sources. Concerned Mac users can check the name and location of the ad creator to help determine whether it’s legitimate, and also the creation date of a webpage – with decoy sites usually created very recently. 

But malvertising remains an effective target strategy, because it abuses trust they have in search engines and legitimate software brands. It’s easy to be tricked, even for those of us with awareness of these strategies – and it’s common for internet users to download software in a hurry, already under pressure, when they need to perform certain tasks at work. 

Remember to check the origins of an ad or website before you hit download. And spread the word: if your employees or colleagues rely on Mac devices, make sure everyone knows they’re not immune.