Mac computers and devices have largely faced fewer malware threats because Windows had more users, making that platform a bigger, juicier target. Thatâs given Apple owners the comfortable illusion that their devices are a little bit safer than others from viruses and the like.
But that illusion of security through obscurity is a bit like a childâs party balloon â easily popped. And thatâs just whatâs happened this week.Â
Thereâs a new malware on the block, and itâs not your ordinary thug. Itâs called Atomic macOS Stealer, and itâs designed to work invisibly, stealing passwords and autofill data from multiple browser caches, as well as credit card and wallet information.Â
âMac owners have been a little bit snobbish about thinking that because theyâve got a Mac theyâre not a target,â Rocky Mountain Cybersecurity CEO Elmer Robinson told Cowboy State Daily. âFor a while, that was kind of true. The Windows machines were certainly a much bigger target in the beginning, and the malware actors definitely focused on the big market.
âBut thatâs changing. Itâs not true anymore.â
Malware Has Evolved
Cyble Research and Intelligence Labs discovered Atomic MacOS Stealer on sale for $1,000 a month in a Telegram channel last week. The program is part of a new wave of turnkey malware thatâs for sale on the dark web.Â
âThe bad guys have gotten so good at what they do, theyâre just making their skills for lease now or for rent,â Robinson said. âSo, you can just go out and sign up, and this is the perfect example. For $1,000 a month, youâre the bad guy.
âAnd that (cash) is really all thatâs needed. It doesnât require programming skill. It doesnât require technical expertise. It doesnât really require a lot of time investment. You just need to write a check.â
Itâs not the first time this type of malware has been for sale, Robinson added.Â
A command and control infrastructure virus released earlier this year gave users a management console and all the tools needed to create zombie bots that could control machines for bitcoin mining or other such activities.
It was available for a mere $100 a month.
Another, which was a multimillion-dollar hack, worked off a website that allowed thieves to buy a key for $10 that could steal live session cookies.
That allowed the thief to steal the actual token for sessions and inject it directly onto his own desktop. From there, he could directly control the target computer without need for a password.
âYou can bypass multi-factor authentication that way,â Robinson said. âYou can steal the session.â
How Atomic macOS Stealer Works
Atomic macOS Stealer includes a dashboard for managing victims, as well as brute-force tools that can steal information from autofill caches in browsers, including Firefox and Chrome.
A DMG file is the vehicle that drives this program on a victimâs machine, however, so thatâs one piece thatâs still old-school.
âThis particular one does require you to click an installer,â Robinson said. âItâs a DMG file, and so (protecting yourself) is kind of some of the same old warnings. If you donât know what something is, donât click on it. If itâs, you know, a link in an email that youâre not certain about, donât click on it. Thatâs Step One.â
Step Two, though, would be to stop storing passwords and autofill functions in browser caches. Theyâre not just convenient for you, hackers love them, too.
âThose are so easily hacked,â Robinson said. âItâs really low-hanging fruit for the bad guys. The first thing they do is just dump your password cache out of your browser, because it doesnât require any effort for them at all.â
Once Atomic macOS Steeler has been installed, it will offer a fake system prompt presented as a routine log-in requirement. Then it starts quietly sending that, and other sensitive information, to a remote server.Â
In addition to auto-filled passwords and personal information, it can swipe system information, files from the desktop and documents folder, and even the password of the infected Mac computer itself.
The program is designed to specifically target any credit card information and private keys for crypto wallets like Electrum, Binance and Atomic.
Online data suggests the program is being updated on a regular basis, adding new functionality to make it more effective.Â
Next Generation Malware Doesnât Even Require A Click
While the Atomic macOS Stealer requires a user to click something to activate it, thereâs already a new generation of malware that doesnât necessarily require users to do anything at all.
âOne of the tactics theyâve learned to use is to embed like GIF files (in an email),â Robinson said. âGIF files can contain metadata and that metadata can be loaded and executed in the background. So, they get like a blank image and embed malicious code in it and make that image part of the background of the email.â
The image is practically invisible â a white background, for example â so that the recipient doesnât realize thereâs anything unusual.
With this strategy, a computer is infected from the moment the email opens, or is even just previewed using the preview pane. The only strategy against this is disabling images in the email programâs settings. They can be re-enabled for individual emails that the user knows are safe.
âThey can also embed background code in the body of an email or a web page that can execute without being clicked on,â Robinson said. âThere are a number of attack mechanisms that donât require any click at all. So, these continue to get much more mature, and they now have this operating at a level where theyâre invisible.â
Thatâs led to some fairly high-profile hacks, Robinson said, such as the U.S. Marshal Service, which announced in February that it had been breached for three years.
âThe bad guys are at that level of maturity that they can get into the U.S. Marshal Service and not only did they get in, they did it without tripping any alarms, and then they lived there undetected, stealing stuff for three years,â Robinson said. âWeâre seeing that the bad guys can get into the most sophisticated environments on the planet. It doesnât matter if itâs like NASA, the Pentagon, Homeland Security. The bad guys got in there and they lived in there for nine months and were undetected.Â
âThose guys never found out they were breached. Somebody had to tell them. The maturity level of the bad guy is theyâre at a place now where theyâre invisible.â
Situational Awareness Key
The increasing sophistication of these types of virtual con games requires more situational awareness than ever, Robinson told Cowboy State Daily.Â
âA lot of small business people who I talk to think that when they click on a virus that a bunch of boxes pop up, or thereâs a laughing skeleton, you know, bandits just saying âhahah we got you,ââ Robinson said. âThen your IT guy comes in, takes your computer and gives you a loaner, and then, two days later, heâs done a wipe and reinstall and brings your computer back and youâre just fine.â
Those days are gone, Robinson said.Â
âThere was a study done that showed that something like 6% of small business people think itâs going to take less than three months to remove the data breach and the actual number is nine months to a year,â Robinson said. âAnd like 40% of small-business people think itâs going to cost them less than $1,000, but the actual number is $9.4 million.
âYeah, IBM publishes that number every year, and this year in America, that number is $9.4 million. So, thereâs this thing of getting people to understand that the game has changed a little bit.â




