An updated version of macOS stealer malware called Atomic Stealer (or AMOS) is being distributed through a new malvertising campaign. The authors of the program appear to be actively maintaining and updating malware. 

When the creators of AMOS found a way to advertise this tool for $1,000 per month in the spring of 2023, they claimed that it would allow the theft of a wide range of data. It was not long after that that the wild was inundated with new variants of malware that were armed with a large number of new spying features, targeting gamers and cryptocurrency investors. 

According to the malware's authors, the malware can be used to steal keychain passwords, browser information, cryptocurrency wallets, and other files from a compromised device, among other things.  The company recently observed that although AMOS was originally distributed through cracked software downloads, it has now been discovered to have been delivered through a malvertising campaign, according to Malwarebytes. 

An unknown entity in Belarus appears to have hacked into a Google advertiser account and used it to advertise the TradingView financial market tracking app through a fake website for a real financial market tracking app. It has been reported that cybercriminals are increasingly deploying data-stealing malware against Apple computers in order to steal confidential information. 

Cybersecurity company SentinelOne reported Wednesday that it spotted a new version of one of the macOS infostealers, Atomic Stealer. The new version of Atomic Stealer is the third version of the malware that works on macOS in a variety of ways. 

According to SentinelOne, the latest version is really going after gaming and cryptocurrency users with a particular focus on the data that it's trying to obtain, which has not been described before in any detail. This infostealer, which is also known as the Atomic Stealer, or AMOS for short, was first described as macOS-based malware that focuses initially on cryptocurrencies, passwords, and important files that are encrypted. 

Throughout its evolution, it has become capable of grabbing more information and targeting a wider range of operating systems. As a result of such an advertisement, a user is directed to a site that offers a number of download options for NetSupport RAT for various operating systems, and while both the Windows and Linux download links direct users to download an MSIX installer that will install the NetSupport RAT on their computers. 

In a Malwarebytes report, clicking the macOS download link causes an Atomic Stealer to be downloaded and it attempts to exfiltrate data stored in iCloud Keychains, browsers, and user files. Several security experts have touted the new infostealer as having evasion capabilities to beat Gatekeeper protections, and this comes in the wake of increasing numbers of Mac OS X-targeted infostealer attacks. 

The criminals who purchase the toolkit are mainly distributing it via cracked software downloads, but they take the liberty to impersonate legitimate websites and to use advertising on search engines like Google to make their victims fall for their schemes. This attack attempts to bypass the Gatekeeper security mechanism in macOS in order to be able to exfiltrate the stolen data to a server under the attacker's control by bypassing Gatekeeper protections. 

As Mac OS continues to become a popular target for malware attacks, a number of new data-stealing apps targeting Mac OS have appeared for sale in crimeware forums over the past couple of months to take advantage of the wide availability of Apple systems in organizations as a target of malware attacks. When looking to download a new program, users are likely to turn to Google and run a search for the particular program that they require. 

As a result, threat actors are purchasing ads matching well-known brands and are tricking victims into visiting their site with the false impression that it is the official website of that brand. There are instructions in the downloaded file on how to open it so that it can bypass GateKeeper, Apple's built-in security system, to bypass the security lock. 

Further, according to the researchers, the malware is embedded in ad-hoc signed applications, which means that the revocation of the certificates used to sign the apps is not possible since they are not Apple certificates. The moment the victim runs the program, it immediately sends the stolen data to the attacker's C2 servers as soon as the data is stolen.

Passwords, information about users, wallets, cookies, keychains, and browser auto-fills are just some of the things that Atomic Stealer steals from users.  As a precautionary measure, Malwarebytes recommends that users check that any program they run on an endpoint is properly signed before running it. 

A further step that should be taken is to analyze the website from which the program was downloaded since it is possible that the address of the website has been typographical. In addition, it is possible that the content of the website reveals a scam.  

There has been increasing evidence that Google Ads are being used by spammers to spread rogue installers to victims looking for popular software, either legitimate or cracked, on search engines. The bogus Google Ads are shown to users searching for software on search engines that aren't securing legitimate software. 

An online campaign targeting the TradingView software was launched recently, featuring a fraudulent web page featuring a prominently displayed button for downloading the software for Windows, macOS, and Linux operating systems. 

The Stroz Friedberg Incident Response Services of Aon said last month that new versions of DarkGate have been used in attacks launched by threats employing tactics similar to Scattered Spider, which is a threat response technique used by cybercriminals.