Atomic Stealer Mac malware: New malware for macOS

Security researchers have found new malware for macOS: Atomic Stealer Mac malware. Read on to learn what it is, how it infects a Mac, and how to stay safe.

Atomic Stealer malware: capabilities and variants

Atomic Stealer was discovered by Cyble Research and Intelligence Labs. The security researchers found the malware advertised on a Telegram chat app channel. Cyble’s full write-up of the malware was published in a company blog post and is worth reading for folks interested in more technical detail. For the highlights-only version, here is what you should know about Atomic Stealer:

• The malware is primarily an information stealer. According to Cyble, it can steal “keychain passwords, complete system information, files from the desktop and documents folder, and even the macOS password.” 
• Atomic Stealer also steals browser data. Cyble says the malware can extract auto-fill information, passwords, cookies, and credit card information.
• The malware also targets cryptocurrency-related data—specifically, “crypto wallets such as Electrum, Binance, Exodus, Atomic, and Coinomi.”
• Atomic Stealer’s authors are selling an SaaS-like suite of capabilities, offering a web dashboard, brute-force cracking tools, installers, and more for $1000 per month. 
• The malware appears to be under ongoing development. Cyble’s researchers say that they have observed new features being added. A second variant of Atomic Stealer was recently discovered and analyzed in a recent blog post by malware researcher Phil Stokes of SentinelOne.

How Atomic Stealer infects a Mac

The researchers who discovered Atomic Stealer say it is spread with a malicious .dmg file. Stokes says that Atomic Stealer samples have been observed “masquerading as installers for legitimate applications like the Tor Browser or pretending to offer users cracked versions of popular software including Photoshop CC, Notion, Microsoft Office and others.”

If a user executes the malicious .dmg, they will see a password prompt that attempts to obtain the system password. The malware then begins stealing and exfiltrating the various data types described above.

Information-stealing malware like Atomic Stealer is somewhat unsophisticated. But it is still a threat to be taken seriously. While infostealers like Atomic Stealer don’t necessarily use advanced privilege escalation techniques or long-term persistence mechanisms, the effect of a successful execution can devastate a victim: stolen passwords, breached accounts, lost financial data, and cryptocurrency theft. Israel Torres, Principal Malware Research Engineer at SecureMac, puts it this way:

In the malware world, it is often easier to just try and do all the things you can get away with instead of asking for special permissions… it’s just sometimes easier (if not lazier) to pull the trigger to straight out just trick the user and exfiltrate all you can before the banhammer comes falling down. If it works, why complicate it?

How to protect yourself from macOS information stealers

To stay safe from information-stealing Mac malware like Atomic Stealer, follow these security tips:

1. Only download applications from trustworthy sources: the Mac App Store or the website of a developer you know and trust.
2. Avoid pirated or “cracked” software. These are frequently used to spread Mac trojans. A free, safe, open-source alternative to the software you need is usually available.
3. Create strong, unique passwords for all accounts and apps to defend against brute-force techniques. Don’t use passwords that a machine can easily guess in a few hours…or seconds. 
4. Protect accounts with two-factor authentication. 2FA can protect you from an account breach if a password is lost.
5. Use a robust malware detection tool on your Mac. If you inadvertently download a malicious app, it can help keep you safe.