50 Crypto Wallets Targeted by Atomic MacOS Malware

By   Olivia William
Writer , Information Security Buzz | Apr 28, 2023 06:35 am PST

Security professionals have issued alerts regarding a new type of malware that targets MacOS devices in an effort to steal sensitive data, including credit card details, credit card expiration dates, and information from over 50 Bitcoin browser extensions.

The threat, dubbed “Atomic” (also known as “AMOS”), is being offered for $1,000 per month on Telegram, a notorious encrypted messaging service with a bad reputation for serving as a venue for the exchange of illegal materials and content.

Threat actors can use its web panel to manage victims, MetaMask brute-forcer, cryptocurrency checker, dmg installer, and Telegram log receiver to perpetrate crimes. The malware has been tracked by researchers at Trellix and Cyble labs, and they discovered that the most recent version release occurred on April 25. This suggests that further modifications and updates are still being made.

Furthermore, just 2% of antivirus programs have been found to mark the dmg file as malicious, making it difficult to detect the utility.  Users can become infected with the virus by threat actors using standard techniques, such as phishing emails, social media posts, malvertising campaigns, malicious downloads, etc. 

The victim is presented with a phony prompt to enter their device’s master password when they open the dmg file, which the malware takes to get access. Then it tries to steal user data kept in Apple’s exclusive Keychain password manager. 

The software then attempts to steal data from installed programs, including desktop cryptocurrency wallets from companies like Electrum, Binance, Exodus, and Atomic, as well as 50 other wallet extensions like (Trust Wallet, Exodus Web3 Wallet, Jaxx Liberty, etc.).

Data from web browsers, including passwords and credit card information saved in Yandex, Opera, and Vivaldi, as well as Google Chrome, Mozilla Firefox, and Microsoft Edge, is also extracted. Additionally searched for system specifics like the (model name, serial numbers, hardware UUID, RAM size, and core count).

Additionally, Atomic MacOS has the ability to steal data directly from folders like the Desktop and Documents folders. However, to do this, the malware must ask the system for permission, and since the user is informed of this, they may have a chance to detect the infection. 

The stolen information is transferred as a zip file to the threat actor’s command and control site, which strangely shares the same IP address as the Raccoon Stealer, indicating a connection between the two. 

In contrast to Windows computers, Apple products aren’t often as frequently attacked by malware, but it seems that is starting to change as a recent survey indicated that such threats are on the rise.


Threat actors are selling Atomic macOS Stealer (AMOS) on Telegram for $1,000 monthly, joining MacStealer. In a technical analysis, Cyble researchers found that the Atomic macOS Stealer can steal Keychain passwords, system information, desktop and document files, and the macOS password. Its various functions include harvesting data from web browsers and cryptocurrency wallets as Atomic, Binance, Coinomi, Electrum, and Exodus. Threat actors that acquire the stealer from the creators receive a web panel for victim control.

The virus uses an unsigned disk image file (Setup.dmg) that prompts the victim to enter their system password to escalate privileges and harm. MacStealer employs this method. The malware may have been introduced by tricking users into downloading and running it. On April 24, 2023, VirusTotal detected the Atomic stealer artifact as “Notion-7.0.6.dmg,” indicating that it is being propagated as the popular note-taking software. The MalwareHunterTeam identified malware in “Photoshop CC 2023.dmg” and “Tor Browser.dmg.”

Cyble says loopholes or fraudulent websites can spread malware like the Atomic macOS Stealer. Atomic then collects system metadata, files, iCloud Keychain, web browser data (passwords, autofill, cookies, and credit card information), and cryptocurrency wallet extensions. Data is compressed into a ZIP package and sent to a distant server. ZIP-filed data is sent to pre-configured Telegram channels. Users should only use trusted website sources, enable two-factor authentication, evaluate program permissions, and avoid suspicious links in emails and SMS messages.