Advertisements

ATOMIC Stealer disguise for a hacked version of Evernote: Analysis MacOS attacks

Research Center Ahnlab Security Intelligence Center (Asec) revealed the spread of the malicious program Atomic Stealer, disguised as the hacking version of Evernote. Atomic Stealer is an information, aimed at MacOS. He steals information from browsers, Key ligaments, cryptocurrencs and system data. It usually spreads through installation files of formats .pkg and .dmg.

Website, distributing malicious software

When the user switch to the site, distributing malicious software, The screen is displayed with a proposal to download the installation file of a hacked program. The site analyzes the USERAGENT browser, To determine the user's operating system. If it is MacOS, The user redirects to the Atomic Stealer installation page. If Windows - on the installation page of another malicious software - LummaC2.

Install.sh sets malicious

At MacOS, attackers ask the user to manually execute commands in the terminal. The performed shell script loads and launches Atomic Stealer. Probably, This method is used to go around protection GateKeeper, which warns when launching files downloaded from outside.

Screen after launching the DMG file

If the file is distributed in format .dmg, After it is opened, a window appears with a request to start the installer and press the button Open, which activates the launch of the malicious program.

Logic for verification of the virtual environment

Atomic Stealer collects system information using commands system_profiler and SPMemoryDataType, and then checks the presence of lines QEMU or VMware In metadata, to determine, Is the program working in a virtual environment. If a virtual machine is detected, the execution is stopped.

Password collection
Window with a request for a system password


The program displays a fake window, Stylized for legitimate, and requests the system password. The entered password is checked using the command dscl . authonly And persists.

Data transfer to C2 server

Further, Atomic Stealer performs Applescript using OSA Script to circumvent the file system and theft of confidential data. He creates a subcatalogue in /tmp and collects data from browsers, systems, Notes, Key ligaments, Telegram and cryptocurrency wallets. The collected information is archivated to the file out.zip team ditto, sent to the server of attackers through a post-call using curl, and then the malicious file deleys itself.


Conclusion.

Atomic Stealer is actively distributed under the guise of hacked programs or through the Google advertising platform. Users should avoid installing programs from unverified sources and upload applications only from official sites.

Source


Discover more from VirusNet

Subscribe to get the latest posts sent to your email.