A data-stealing-as-a-service toolkit called Atomic macOS Stealer (AMOS) has been found being advertised on an underground Telegram channel. This toolkit was specifically built to target Mac users and can steal passwords, files, comprehensive system information, and secret data from eight different browsers and dozens of cryptowallets. The malware comes with an online AMOS cloud portal and a feature to send stolen data directly to a Telegram account. The crooks claim to have a beautiful DMG installer to improve the likelihood that victims will install the software. The malware costs $1000 a month.
To access the macOS Keychain, the malware lures users into giving away their account password by popping up a dialog with the title “System Preferences” and claiming that macOS itself “wants to access System Preferences”. Users should be aware that the popup belongs to the malware app itself, which is simply called “Setup”. Password dialogs that are requested by the System Preferences app itself come up as an integral part of the Preferences application window.
Mac users should not be complacent about cybersecurity and should stick to reputable download sites, not be fooled by the appearance of an app, and consider running real-time malware blocking tools. Sophos products detect and block the malware under the name OSX/InfoStl-CP.