Close Menu
Cybercrime and Ransomware

Atomic macOS Stealer Campaign Targets Hundreds

Staff WriterBy No Comments4 Mins Read3 Views

Top Highlights

  1. CrowdStrike warns of increased attacks on macOS using a variant of the Atomic macOS Stealer (AMOS), dubbed SHAMOS, via malvertising campaigns.
  2. The campaigns, operated by the Cookie Spider group, targeted users seeking macOS help and compromised systems by executing malicious commands that download and run malware.
  3. SHAMOS malware specializes in credential theft, data exfiltration, and can also download payloads including botnet modules and fake cryptocurrency wallet applications.
  4. The attacks, primarily focused on countries like Canada, China, and the US, involved impersonation of legitimate businesses and leveraged one-line malicious commands to bypass macOS security features.

Underlying Problem

CrowdStrike has issued a warning about a surge in cyberattacks targeting macOS users with a sophisticated variant of the Atomic macOS Stealer (AMOS), called SHAMOS. This malicious campaign, active between June and August, was orchestrated by the cybercrime group Cookie Spider, known for operating the AMOS malware-as-a-service platform. The group employed malicious advertising—malvertising—to lure victims searching for solutions to common Mac issues, redirecting them to fraudulent websites that tricked users into executing harmful commands. These commands triggered scripts from remote servers, which covertly collected passwords, Keychain data, browser secrets, and cryptocurrency wallet information, then exfiltrated this sensitive data. SHAMOS enhances its stealth by incorporating anti-virtual machine checks and can perform system reconnaissance, download additional payloads like botnets, and even mimic legitimate applications such as Ledger Live to further deceive victims.

The attack targeted users across multiple countries—including Canada, China, Colombia, Italy, Japan, Mexico, the US, and the UK—while notably avoiding Russian audiences. CrowdStrike’s investigation suggests that the perpetrators impersonated a reputable Australian electronics retailer in their Google advertising efforts, showcasing how eCrime actors favor quick, one-line commands to bypass macOS security measures like Gatekeeper. This approach allows them to directly execute malicious Mach-O executable files, making the malware difficult to detect and remove. The campaign highlights the ongoing threat posed by sophisticated, well-coordinated social engineering and malware deployment tactics aimed at Mac users worldwide.

Risk Summary

CrowdStrike has issued a warning about a surge in cyberattacks targeting macOS users through a variant of the notorious Atomic macOS Stealer (AMOS), dubbed SHAMOS. Conducted by the Cookie Spider group, the campaign employed malicious advertising to lure users searching for common Mac troubleshooting solutions, leading them to fake websites where they were coaxed into executing harmful commands. These commands downloaded scripts that stole passwords and sensitive data, including Keychain, browser info, cryptocurrency wallets, and more, subsequently exfiltrating this information to remote servers in ZIP archives. SHAMOS also features anti-VM mechanisms to evade sandbox detection and can deploy additional payloads like botnet modules and fake wallet apps, escalating the threat landscape. Targeting multiple countries — notably excluding Russia — the campaign exemplifies how cybercriminals exploit legitimate-looking online ads and one-line commands to bypass security measures like Gatekeeper, highlighting a significant and evolving risk to both individual users and organizations reliant on macOS platforms.

Possible Next Steps

Timely remediation in the face of widespread threats like the "Hundreds Targeted in New Atomic macOS Stealer Campaign" is crucial to prevent extensive data loss, maintain organizational trust, and reduce potential financial and reputational damage. Acting swiftly ensures vulnerabilities are addressed before they can facilitate further exploitation or compromise.

Mitigation Strategies:

  • Update Software
  • Deploy Antivirus/Malware Tools
  • Block Malicious Domains
  • Educate Users

Remediation Actions:

  • Remove Infected Files
  • Restore from Backup
  • Conduct Security Audit
  • Strengthen Endpoint Security

Continue Your Cyber Journey

Explore career growth and education via Careers & Learning, or dive into Compliance essentials.

Explore engineering-led approaches to digital security at IEEE Cybersecurity.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.