We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

New Atomic macOS Stealer Malware On Sale to Cybercriminals

New Atomic macOS Stealer Malware On Sale to Cybercriminals
Husain Parvez Published on 30th April 2023 Cybersecurity Researcher

A new macOS stealer malware is being sold to cybercriminals via the messaging service Telegram for the steep price of $1000. The malware is a 64-bit Go-based program designed to target macOS systems specifically. Its main purpose is to steal sensitive information, such as keychain passwords, local file system files, passwords, cookies, and credit card data stored within browsers.

Cyble, a threat intelligence firm, has examined a sample of the AMOS malware recently uploaded to VirusTotal. The malware went completely under the radar until its discovery. As per Cyble's analysis, the malware can extract all passwords from the macOS Keychain, the built-in password manager on macOS devices that stores sensitive data such as WiFi passwords, website logins, and credit card details. The malware can also access complete system information and files from the affected computer.

As reported by SecurityWeek, the malware is purportedly capable of stealing passwords, cookies, cryptocurrency wallets, and payment card data from several browsers, including Chrome, Firefox, Brave, Edge, Vivaldi, Yandex, and Opera. The malware also targets and can steal a variety of crypto wallets, including Electrum, Binance, Exodus, Atomic, and Coinomi.

As part of the $1000 fee, cybercriminals are offered an inclusive package of malicious products, including a web panel for simplified victim management, a DMG installer, a cryptocurrency checker, and a MetaMusk brute-forcer. There’s also the ability to retrieve logs of stolen data via Telegram, along with notifications.

When the malware is executed, it displays a counterfeit password prompt to trick the user into entering the system password, granting the attacker elevated privileges on the victim's machine. The malware also allows threat actors the ability to steal files from the victim's 'Desktop' and 'Documents' directories. However, since the malware must request permission to access these files, it runs the risk of the victim identifying the malicious activity.

Another researcher from Trellix examined the AMOS malware and observed that an IP address used by the malware is connected to Raccoon Stealer, another form of malware previously associated with threat actors based in Russia and Ukraine.

About the Author

Husain Parvez is a Cybersecurity Researcher and News Writer at vpnMentor, focusing on VPN reviews, detailed how-to guides, and hands-on tutorials. Husain is also a part of the vpnMentor Cybersecurity News bulletin and loves covering the latest events in cyberspace and data privacy.