BleepingComputer reports the emergence of the Atomic macOS information-stealing malware, also known as AMOS, which could facilitate the theft of macOS passwords, browser-stored information, file system data, Keychain passwords, and data from more than 50 cryptocurrency extensions for a monthly subscription of $1,000.
Aside from offering a web panel for victim management, threat actors behind AMOS have also been providing a cryptocurrency checker, a dmg installer, a MetaMask brute-forcer, and stolen log delivery via Telegram for the subscription, according to findings from Cyble Labs and a Trellix researcher.
Executing the dmg file would trigger a phony password prompt seeking the system password in a bid to secure elevated privileges, which will then be followed by the extraction of the Keychain password and the later exfiltration of data from desktop cryptocurrency wallets, crypto wallet extensions, web browsers, and system information.
Direct theft of files in the "Desktop" and "Documents" directories is also enabled by AMOS provided attackers have access permissions, with the stolen files compiled in a ZIP file that is then sent to the command-and-control server of the threat actors.
AMOS's C2 server and build name were also found by the Trellix researcher to have also been used by the Raccoon Stealer, indicating a possible association between the two info-stealers.