EXECUTIVE SUMMARY
Amos Stealer is a macOS malware designed to steal sensitive information, including system credentials, browser data, and cryptocurrency wallets. It is typically distributed via .dmg files disguised as legitimate installers. Once executed, it extracts keychain passwords, cookies, autofill data, and crypto wallet credentials from browsers like Chrome, Edge, and Firefox. The malware is actively sold on underground platforms, offering features like web panels for victim management and additional attack tools. Amos poses a severe threat to macOS users by exploiting social engineering techniques and deceptive prompts to gain system access.
Written in Golang, Amos employs various evasion techniques to bypass security measures. It tricks users into providing system passwords via fake prompts, then collects system information and searches for sensitive files. The malware specifically targets cryptocurrency wallets, including Exodus, Electrum, and Coinomi, as well as browser extensions like Jaxx Liberty and MetaMask. It uses the ditto command to copy and package stolen data into a zip file before transmitting it to a command-and-control server. Its ability to extract highly valuable financial data makes it particularly dangerous.
The rise of Amos Stealer highlights the increasing threat to macOS systems, traditionally seen as more secure. Users should only download software from trusted sources, remain cautious of unexpected password prompts, and keep their security software up to date. The cybersecurity community must continue monitoring such threats, sharing insights, and enhancing detection capabilities. Stronger collaboration between researchers, security vendors, and end-users is crucial in mitigating risks and preventing data breaches.
THREAT PROFILE:
| Tactic | Technique ID | Technique |
| Initial Access | T1204 | User Execution |
| Execution | T1059 | Command and Scripting Interpreter |
| Persistence | T1543 | Create or Modify System Process |
| Privilege Escalation | T1548 | Abuse Elevation Control Mechanism |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Credential Access | T1003 | OS Credential Dumping |
| Discovery | T1082 | System Information Discovery |
| Collection | T1005 | Data from Local System |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
REFERENCES:
The following reports contain further technical details: