MacBook users beware: Atomic Stealer malware gets new capabilities

Cybercriminals are increasingly deploying information-stealing malware to target Apple computers, cybersecurity researchers say.

One of these macOS infostealers, Atomic Stealer, has caught the attention of cybersecurity company SentinelOne, which reported Wednesday that it spotted a new version of the malware.

The latest version, which hasn't been described before, is more targeted in the data it attempts to capture, with a specific focus on gaming and cryptocurrency users, SentinelOne said.

The primary aim is financially oriented cybercrime, according to the report. The identity of the hacker group behind Atomic Stealer is unknown.

Researchers have found that Atomic Stealer is more versatile than other Apple-oriented infostealers like Pureland or MacStealer. It has the capability to capture account passwords, browser data, session cookies, and cryptocurrency wallets. It also allows hackers to control their campaigns via a web interface that has a monthly cost of $1,000.

Developers promote the Atomic Stealer installer on Telegram, a messaging app that numerous cybercriminals use as a replacement for dark web forums. Atomic's newest version also is promoted on a YouTube channel created in late April.

Attackers can choose how they want to deliver the payload to their targets. Researchers have observed instances when hackers disguised Atomic Stealer as an installer for genuine applications like Tor Browser or claimed to provide users with cracked versions of well-known software such as Photoshop CC, Notion or Microsoft Office. Another commonly used method is to inject malicious software into legitimate Google Ads.

Atomic Stealer is not an especially advanced infostealer, according to SentinelOne. It uses a straightforward yet efficient method called AppleScript spoofing to extract the user's login password. This method takes advantage of Apple's scripting language, which is employed to automate tasks on computers, to deceive users into running malicious code.

Atomic Stealer avoids trying to establish persistence on infected Macs which is a trend among cybercriminals due to Apple's new feature that alerts users when an item is added to the login items list on macOS Ventura. Instead, Atomic aims to quickly steal as much information as possible in a single attack, reducing the chance of detection and increasing its chances of success.

As of the time of publication, the Telegram channel selling Atomic Stealer has over 1,000 subscribers. The messages in the channel often contain grammatical and syntactical errors, suggesting that the developer's first language may not be English.

SentinelOne cautioned that infostealers targeting Mac computers have become more attractive to threat actors, as more organizations use Apple devices for both work and personal use.

"As many Mac devices lack good external security tools that can provide both visibility and protection, there is plenty of opportunity for threat actors to develop and market tools to aid cybercriminals," the researchers said.