Mac computers and devices have largely faced fewer malware threats because Windows had more users, making that platform a bigger, juicier target. That’s given Apple owners the comfortable illusion that their devices are a little bit safer than others from viruses and the like.
But that illusion of security through obscurity is a bit like a child’s party balloon — easily popped. And that’s just what’s happened this week.
There’s a new malware on the block, and it’s not your ordinary thug. It’s called Atomic macOS Stealer, and it’s designed to work invisibly, stealing passwords and autofill data from multiple browser caches, as well as credit card and wallet information.
“Mac owners have been a little bit snobbish about thinking that because they’ve got a Mac they’re not a target,” Rocky Mountain Cybersecurity CEO Elmer Robinson told Cowboy State Daily. “For a while, that was kind of true. The Windows machines were certainly a much bigger target in the beginning, and the malware actors definitely focused on the big market.
“But that’s changing. It’s not true anymore.”
Malware Has Evolved
Cyble Research and Intelligence Labs discovered Atomic MacOS Stealer on sale for $1,000 a month in a Telegram channel last week. The program is part of a new wave of turnkey malware that’s for sale on the dark web.
“The bad guys have gotten so good at what they do, they’re just making their skills for lease now or for rent,” Robinson said. “So, you can just go out and sign up, and this is the perfect example. For $1,000 a month, you’re the bad guy.
“And that (cash) is really all that’s needed. It doesn’t require programming skill. It doesn’t require technical expertise. It doesn’t really require a lot of time investment. You just need to write a check.”
It’s not the first time this type of malware has been for sale, Robinson added.
A command and control infrastructure virus released earlier this year gave users a management console and all the tools needed to create zombie bots that could control machines for bitcoin mining or other such activities.
It was available for a mere $100 a month.
Another, which was a multimillion-dollar hack, worked off a website that allowed thieves to buy a key for $10 that could steal live session cookies.
That allowed the thief to steal the actual token for sessions and inject it directly onto his own desktop. From there, he could directly control the target computer without need for a password.
“You can bypass multi-factor authentication that way,” Robinson said. “You can steal the session.”
How Atomic macOS Stealer Works
Atomic macOS Stealer includes a dashboard for managing victims, as well as brute-force tools that can steal information from autofill caches in browsers, including Firefox and Chrome.
A DMG file is the vehicle that drives this program on a victim’s machine, however, so that’s one piece that’s still old-school.
“This particular one does require you to click an installer,” Robinson said. “It’s a DMG file, and so (protecting yourself) is kind of some of the same old warnings. If you don’t know what something is, don’t click on it. If it’s, you know, a link in an email that you’re not certain about, don’t click on it. That’s Step One.”
Step Two, though, would be to stop storing passwords and autofill functions in browser caches. They’re not just convenient for you, hackers love them, too.
“Those are so easily hacked,” Robinson said. “It’s really low-hanging fruit for the bad guys. The first thing they do is just dump your password cache out of your browser, because it doesn’t require any effort for them at all.”
Once Atomic macOS Steeler has been installed, it will offer a fake system prompt presented as a routine log-in requirement. Then it starts quietly sending that, and other sensitive information, to a remote server.
In addition to auto-filled passwords and personal information, it can swipe system information, files from the desktop and documents folder, and even the password of the infected Mac computer itself.
The program is designed to specifically target any credit card information and private keys for crypto wallets like Electrum, Binance and Atomic.
Online data suggests the program is being updated on a regular basis, adding new functionality to make it more effective.
Next Generation Malware Doesn’t Even Require A Click
While the Atomic macOS Stealer requires a user to click something to activate it, there’s already a new generation of malware that doesn’t necessarily require users to do anything at all.
“One of the tactics they’ve learned to use is to embed like GIF files (in an email),” Robinson said. “GIF files can contain metadata and that metadata can be loaded and executed in the background. So, they get like a blank image and embed malicious code in it and make that image part of the background of the email.”
The image is practically invisible — a white background, for example — so that the recipient doesn’t realize there’s anything unusual.
With this strategy, a computer is infected from the moment the email opens, or is even just previewed using the preview pane. The only strategy against this is disabling images in the email program’s settings. They can be re-enabled for individual emails that the user knows are safe.
“They can also embed background code in the body of an email or a web page that can execute without being clicked on,” Robinson said. “There are a number of attack mechanisms that don’t require any click at all. So, these continue to get much more mature, and they now have this operating at a level where they’re invisible.”
That’s led to some fairly high-profile hacks, Robinson said, such as the U.S. Marshal Service, which announced in February that it had been breached for three years.
“The bad guys are at that level of maturity that they can get into the U.S. Marshal Service and not only did they get in, they did it without tripping any alarms, and then they lived there undetected, stealing stuff for three years,” Robinson said. “We’re seeing that the bad guys can get into the most sophisticated environments on the planet. It doesn’t matter if it’s like NASA, the Pentagon, Homeland Security. The bad guys got in there and they lived in there for nine months and were undetected.
“Those guys never found out they were breached. Somebody had to tell them. The maturity level of the bad guy is they’re at a place now where they’re invisible.”
Situational Awareness Key
The increasing sophistication of these types of virtual con games requires more situational awareness than ever, Robinson told Cowboy State Daily.
“A lot of small business people who I talk to think that when they click on a virus that a bunch of boxes pop up, or there’s a laughing skeleton, you know, bandits just saying ‘hahah we got you,’” Robinson said. “Then your IT guy comes in, takes your computer and gives you a loaner, and then, two days later, he’s done a wipe and reinstall and brings your computer back and you’re just fine.”
Those days are gone, Robinson said.
“There was a study done that showed that something like 6% of small business people think it’s going to take less than three months to remove the data breach and the actual number is nine months to a year,” Robinson said. “And like 40% of small-business people think it’s going to cost them less than $1,000, but the actual number is $9.4 million.
“Yeah, IBM publishes that number every year, and this year in America, that number is $9.4 million. So, there’s this thing of getting people to understand that the game has changed a little bit.”