Password-Stealing MacOS KeyChain Malware Spotted for Sale on Telegram

A new macOS malware that can steal sensitive data such as passwords and files was advertised on a Telegram channel for $1,000 per month, MacRumors reports(Opens in a new window).

Found on Telegram by cybersecurity intelligence group Cyble Research(Opens in a new window), the Atomic macOS Stealer (AMOS) is specifically designed to target macOS and steal sensitive information.

As MacRumors notes, the malware, which was being sold on the encrypted messaging app for $1,000 per month, is able to gain access to keychain passwords, system information, files from the desktop and documents folder, and a Mac’s password.

AMOS can additionally hack into Chrome and Firefox apps, and steal autofill information such as passwords, wallets, and credit card information.  

The malware can be bought together with a panel feature that is designed to help manage malware targets. It also comes with tools for brute-forcing private keys.

According to MacRumors, the malware designer has been busy adding new functionalities to it, with the most recent update on April 25. 

AMOS malware requires a user to click on a .dmg file in order to begin installing, after which it immediately starts accessing passwords, autofill information, and other sensitive data, and transferring it to a remote server. In order to attain access to the system password, AMOS triggers a fake system prompt.

AMOS is also known to target crypto wallets such as Electrum, Binance, Exodus, Atomic, and Coinomi. 

Cyble Research advises users to avoid installing software outside the Mac App Store, and to use strong passwords and multi-factor as well as biometric authentication on their Macs.

Cyble also advises users to avoid opening links in emails, to be cautious whenever an app asks for permissions, and to ensure that apps, operating systems, and devices are all up to date with the latest security updates.