New Malvertising Campaign Delivers Atomic macOS Stealer Malware

Credit by Pixabay

VTA-004463 – New Malvertising Campaign Delivers Atomic macOS Stealer Malware

Recently, a malvertising campaign emerged targeting both Windows and Mac users, featuring an updated version of the Atomic Stealer (AMOS) for Mac. Initially introduced in April 2023, AMOS is designed to steal crypto assets and passwords from browsers and Apple’s keychain. The developer continually updates the toolkit, and it has been distributed through cracked software downloads and fake websites or search engine ads.

One specific campaign focused on TradingView, a popular financial markets tracking platform. Threat actors leveraged Google ads impersonating well-known brands to lure victims. The ad for TradingView used special font characters to mimic the real domain and avoid detection by Google’s ad quality checks.

Upon clicking the ad, users were redirected to a phishing page at trabingviews[.]com, which appeared authentic but was recently created. Windows and Linux download buttons on the page pointed to an MSIX installer on Discord, dropping the NetSupport RAT. The Mac download was hosted separately. Victims were prompted to bypass GateKeeper and input their password in a never-ending loop once they executed the downloaded file (TradingView.dmg). The malware aimed to steal data and send it to the attacker’s server.

Malvertising remains an effective method to target victims who trust search engines. Mac malware like AMOS is less detected than Windows malware, with its developer highlighting its evasion capabilities.

Severity:
Medium

Technical Impact Analysis
Loss of Accountability, Loss of Availability

Attack Surfaces:
Web Application, Web Browser

Tactics:
Initial Access, Execution, Defense Evasion, Privilege Escalation, Persistence, Collection

Techniques:
T1192 – Spearphishing Link
T1566 – Phishing
T1204 – User Execution
T1564.001 – Hide Artifacts
T1547 – Boot or Logon Autostart Execution
T1027 – Obfuscated Files or Information
T1112 – Modify System Image
T1113 – Screen Capture‘

Indicator of Compromise:
https://otx.alienvault.com/pulse/64fab7034e625e6d13320732

References:
https://www.malwarebytes.com/blog/threat-intelligence/2023/09/atomic-macos-stealer-delivered-via-malvertising

SuperPRO’s Threat Countermeasures Procedures: 
1. Verify the origin of any new program before downloading it, especially if it’s from an unknown source or from ads.
2. Visit official websites directly instead of clicking on links or ads that could be malicious.
3. Use antivirus software with real-time protection to detect and prevent malware infections.
4. Regularly scan your device with antivirus software to detect and remove any malware infections.
5. Keep your operating system and software up to date with the latest security patches to prevent vulnerabilities that could be exploited by malware.
6. Use strong and unique passwords for all accounts and enable two-factor authentication whenever possible to protect against password theft.
7. Regularly back up important files to an external hard drive or cloud storage service to prevent data loss in case of a malware infection.
8. If you suspect that your device has been infected with malware, disconnect it from the internet and seek professional help to remove the malware and recover any lost data.

Contributed by: Narzwan