In a concerning development for Mac users, an updated variant of the notorious Atomic Stealer malware is making its presence felt online, posing significant risks to the security of Apple devices. Initially identified in 2023, this malware has undergone continuous enhancements, now capable of infiltrating high-end MacBooks and other Apple computers. Its primary objective is to pilfer sensitive information, including keychain passwords, local files, browser cookies, stored credit card details, and cryptocurrency assets.
Recent observations by MacPaw have revealed that this latest iteration of Atomic Stealer can establish a backdoor on compromised Macs, rendering them susceptible to further and potentially more severe cyberattacks. This malware operates on a malware-as-a-service model, allowing other cybercriminals to subscribe to its use for a monthly fee ranging from ,000 to ,000.
Thanks to insights from independent security researcher g0njxa on X, MacPaw’s cybersecurity team acquired a sample of the updated Atomic Stealer. Their analysis uncovered a hidden backdoor that persists even after the infected Mac is rebooted. The mechanism behind this backdoor is an executable binary file named ‘.helper’, which is downloaded and stored in the victim’s home directory post-infection. To complicate detection efforts, this file remains concealed following the initial compromise.
The malware’s creators employ a persistent wrapper script, labeled ‘.agent’, which also remains hidden, to execute ‘.helper’ continuously under the logged-in user’s account. Additionally, a LaunchDaemon (com.finder.helper) is installed via AppleScript, ensuring that the ‘.agent’ script activates each time the infected Mac is powered on. By leveraging stolen credentials, this backdoor can be exploited by hackers to execute commands remotely, log keystrokes, deploy additional malicious payloads, or even navigate laterally across networks to target other connected devices.
How to stay safe from Mac malware
As the threat landscape evolves, Moonlock’s security researchers have identified two primary distribution channels for the latest Atomic Stealer variant: cracked or pirated software and spear phishing campaigns aimed at high-value targets. To mitigate the risk of infection, users are strongly advised against downloading any unauthorized software. Not only is this practice illegal, but it also exposes devices to potential malware, as the integrity of such downloads cannot be guaranteed. It is prudent to rely on official app stores, such as the Mac App Store, or to obtain software directly from reputable vendors.
In the realm of spear phishing, minimizing the amount of personal information available online is crucial. For instance, if you possess significant cryptocurrency holdings, it is wise to keep that information private rather than broadcasting it on social media platforms. Cybercriminals often target high-profile individuals, employing tactics such as fake job interviews to gain access to their systems. They may manipulate victims into revealing their passwords under the guise of enabling screen sharing, a practice that raises red flags, especially since legitimate video conferencing tools do not require password entry for this function.
While Macs come equipped with built-in security features like XProtect, the increasing prevalence of sophisticated threats necessitates the use of additional antivirus solutions for enhanced protection. As the Atomic Stealer malware continues to prove effective for cybercriminals, maintaining vigilant cyber hygiene and staying informed about emerging threats is essential for safeguarding personal and professional data.
