Table of Contents
One of the most active infostealer strains targeting Apple’s operating system for desktops has evolved to become a more dangerous tool, according to Moonlock, a cybersecurity division of MacPaw.
In a recent update, the developers of Atomic macOS Stealer (AMOS) have added an embedded backdoor, delivered alongside the infostealer during an infection.
The backdoor allows attackers deploying AMOS to maintain persistent access to a victim’s Mac, run arbitrary tasks from remote servers and gain extended control over compromised machines.
According to a Moonlock report on July 4, it is only the second known case of backdoor deployment at a global scale targeting macOS users. The other is deployed by North Korean threat actors.
Typical AMOS Attack Chain
Moonlock stated that the threat group behind AMOS is believed to be based in Russia and is known for targeting Apple users with data-stealing malware.
Until now, their stealer mainly focused on data exfiltration from cryptocurrency-related browser extensions and cold wallets.
The delivery process has followed two main paths:
- Through websites offering cracked or fake software
- Through spear phishing campaigns targeting high-value individuals like large crypto owners
Spear phishing begins with the delivery of Atomic macOS Stealer during a staged job interview process, typically targeting artists or freelancers. The victim is asked to enter their system password to enable screen sharing. Once executed, the stealer can extract sensitive data such as passwords and seed phrases and install a persistent backdoor that awaits remote commands.
Backdoored AMOS: Significant Escalation in Capability and Intent
The addition of a backdoor to AMOS means that the threat is no longer limited to stolen credentials or documents but extends to complete system compromise on macOS.
In practice, this means that, alongside the execution of AppleScript as the primary AMOS payload, the stealer includes new logic for setting up persistence, which resides in a function called installBot.
Additionally, the overall communication between AMOS payloads and the threat actor’s command-and-control (C2) infrastructure has changed from one-shot data draining to more complex assignments of unique identifiers to each infected host.
“The upgrade to AMOS represents a significant escalation in both capability and intent, whether the changes were made by the original malware authors or by someone else modifying the code,” the Moonlock researchers wrote.
Following the North Korean Playbook
However, Moonlock found that the functionalities of the latest backdoored AMOS implant are still limited compared to those developed by North Korean hackers, which use a dozen C2 commands to perform multiple tasks on the infected device.
These actors utilize backdoors for a range of tasks, such as long-term surveillance, re-infection and broader exploitation opportunities, including keylogging.
The researchers assessed that the AMOS developers will likely work on new features.
This was confirmed to the researchers by an anonymous cyber threat researcher known as @g0njxa on social media, who shared internal chats showing that the group behind AMOS was working on adding keylogging functionalities.
“The addition of a backdoor to the Atomic macOS Stealer marks a pivotal shift in one of the most active macOS threats. What was once a smash-and-grab data theft tool is now evolving into a platform for persistent access to a victim’s Mac,” the Moonlock researchers concluded.
