Introduction: A Rising Danger for macOS Users
A new version of the Atomic macOS info-stealer, also known as ‘AMOS’, has been uncovered with a dangerous backdoor component that grants cybercriminals persistent access to infected Mac systems. This backdoor allows attackers to execute remote commands, survive system reboots, and maintain indefinite control over compromised devices. As macOS users become increasingly targeted, this evolution of Atomic malware signals a worrying trend in cyber threats.
The Growing Reach of AMOS Malware
Cybersecurity researchers from MacPaw’s Moonlock division, following a tip from independent security expert g0njxa, have analyzed this latest backdoored version of Atomic. The findings reveal that AMOS malware campaigns have impacted over 120 countries, with heavy concentrations in the United States, France, Italy, the United Kingdom, and Canada. The malware’s enhanced capabilities mean thousands of Mac devices worldwide could be fully compromised, putting sensitive data and privacy at serious risk.
Evolution of Atomic: From Info-Stealer to Persistent Backdoor
Initially documented in April 2023, the Atomic stealer began as a Malware-as-a-Service (MaaS) offered on Telegram channels for a subscription fee of about $1,000 monthly. Its primary goal was to steal passwords, files, and cryptocurrency wallets stored on macOS browsers and applications. However, this latest backdoored variant represents a significant escalation in threat level:
- Backdoor embedded inside the malware enables remote command execution.
- Persistence mechanisms ensure survival through reboots using LaunchDaemons on macOS.
- Unique victim ID tracking and new command-and-control (C2) infrastructure enhance attacker control.
This evolution shows the shift from simple data theft to full system compromise.
New Attack Vectors Targeting macOS Users
Moonlock’s research highlights a change in how Atomic malware is distributed. Whereas the initial versions were spread via cracked software websites, the new campaigns focus heavily on targeted phishing attacks. These often impersonate:
- Invitations to cryptocurrency holders with fraudulent offers.
- Fake job interview invitations aimed at freelancers and remote workers.
This shift reflects cybercriminals’ strategy to zero in on high-value targets, increasing infection success rates.
How the Backdoor Works: Anatomy of the Attack
At the core of this backdoor is a hidden binary called ‘.helper’, stored in the victim’s home directory after infection. This binary is continuously run by a hidden persistent script called ‘.agent’, which operates as the logged-in user. To guarantee persistence, a LaunchDaemon named ‘com.finder.helper’ is installed via AppleScript to trigger the agent script every time the Mac boots up.
Key details include:
- The malware obtains user passwords stealthily during infection, allowing it to gain elevated privileges.
- It can change ownership of the LaunchDaemon to root:wheel, granting superuser access.
- This enables attackers to remotely execute arbitrary commands, log keystrokes, deploy further malicious payloads, and explore lateral movement within networks.
To avoid detection, the backdoor performs environment checks to evade sandboxing or virtual machine detection and uses string obfuscation techniques.
Why macOS Users Must Stay Vigilant
For years, macOS was considered less vulnerable than Windows systems. However, this new Atomic backdoor highlights the increasing sophistication and focus of cybercriminals on Apple devices. With persistent access, attackers can silently steal sensitive information, disrupt operations, or even use infected Macs as gateways into larger corporate or personal networks.Experts recommend:
- Avoid downloading software from untrusted sources or cracked apps.
- Be cautious with unexpected emails, especially those offering job interviews or cryptocurrency opportunities.
- Use strong, unique passwords and enable two-factor authentication where possible.
- Keep macOS and all software up to date with security patches.
Conclusion: The Future of macOS Security Depends on Awareness and Action
The discovery of the backdoored Atomic macOS info-stealer AMOS is a stark reminder that macOS users are not immune to advanced persistent threats. As cybercriminals continuously refine their malware, the importance of proactive security practices cannot be overstated. Staying informed, practicing safe browsing habits, and employing robust cybersecurity tools are essential steps to protect your Mac against evolving threats like AMOS.
For further reading on macOS security and malware prevention, visit MacPaw Moonlock and the Cybersecurity & Infrastructure Security Agency (CISA).
