Cybersecurity researchers have identified an updated version of a macOS information stealer called Atomic (or AMOS), indicating that the threat actors behind the malware are actively enhancing its capabilities.
"It looks like Atomic Stealer was updated around mid to late December 2023, where its developers introduced payload encryption in an effort to bypass detection rules," Malwarebytes' Jérôme Segura said in a Wednesday report.
Atomic Stealer first emerged in April 2023 for a monthly subscription of $1,000. It's capable of harvesting sensitive information from a compromised host, including Keychain passwords, session cookies, files, crypto wallets, system metadata, and the machine's password via a fake prompt.
Malwarebytes' latest analysis shows that Atomic Stealer is now being sold for a hefty $3,000/month rental fee, with the actors running a promotion coinciding with Christmas, offering the malware for a discounted price of $2,000.
Besides incorporating encryption to thwart detection by security software, campaigns distributing Atomic Stealer have undergone a slight shift, wherein Google search ads impersonating Slack are used as conduits to deploy Atomic Stealer or a malware loader called EugenLoader (aka FakeBat) depending on the operating system.
It's worth noting that a malvertising campaign spotted in September 2023 leveraged a fraudulent site for the TradingView charting platform to deliver NetSupport RAT, if visited from Windows, and Atomic Stealer, if the operating system is macOS.
The rogue Slack disk image (DMG) file, upon opening, prompts the victim to enter their system password, thereby allowing threat actors to gather sensitive information that are access-restricted. Another crucial aspect of the new version is the use of obfuscation to conceal the command-and-control server that receives the stolen information.
"As stealers continue to be a top threat for Mac users, it is important to download software from trusted locations," Segura said. "Malicious ads and decoy sites can be very misleading though and it only takes a single mistake (entering your password) for the malware to collect and exfiltrate your data."