A notorious infostealer targeting macOS has taken a grim turn, evolving into a more formidable threat. According to insights from Moonlock, a cybersecurity wing of MacPaw, the Atomic macOS Stealer (AMOS) is now equipped with a sneaky backdoor that enhances its malicious capabilities.

In a groundbreaking update, AMOS now offers attackers the chance to maintain relentless access to infected Mac systems. This means hackers can execute remote tasks and seize extensive control over compromised machines without detection.

A New Era of Threats for macOS Users

Moonlock's July 4 report highlighted that this marks the second-ever case of a backdoor being deployed on a global scale targeting macOS users. The first known instance was attributed to North Korean operatives. This escalation signals a disturbing trend in targeting Apple users.

The AMOS Attack: A Two-Pronged Approach

The threat group behind AMOS is believed to operate from Russia, primarily focusing on draining sensitive data related to cryptocurrencies. Their attack methods follow two key paths: through dubious websites offering cracked software and via spear phishing campaigns aimed at high-value individuals.

In the spear phishing scenario, victims are lured under the guise of a staged job interview, often targeting creatives or freelancers. The malicious payload is presented during screen sharing, leading victims to inadvertently divulge their system passwords. Once deployed, AMOS can pilfer sensitive information like passwords and seed phrases while installing a persistent backdoor for unfettered access.

The Transformative Power of the Backdoor

The introduction of a backdoor signifies a seismic shift in the AMOS toolkit, allowing attackers not just to steal data but also to fully compromise infected macOS devices. In practical terms, this means that along with executing AppleScript, AMOS can now establish persistence through a cleverly named function, installBot.

Moreover, communication between the AMOS payloads and the hackers’ command-and-control infrastructure has transformed from simple data extraction to a sophisticated network assigning unique identifiers to each compromised host.

As Moonlock researchers noted, "This upgrade represents a significant escalation in both capability and intent," suggesting that AMOS's potential for harm has increased dramatically.

Learning from North Korea’s Playbook

Despite its advancements, the functionalities of backdoored AMOS are still relatively rudimentary when compared to the sophisticated tools employed by North Korean hackers, who utilize a multitude of commands for extensive tasks like keylogging and ongoing surveillance.

Researchers believe the AMOS developers will soon enhance their malware even further. This was corroborated by an anonymous cyber threat researcher, @g0njxa, who revealed internal communications indicating that the group is scrutinizing the addition of keylogging features.

In conclusion, the evolution of AMOS from a simple data theft tool to a sophisticated platform for persistent access marks a significant turning point in the landscape of macOS threats. As this dangerous malware continues to develop, Apple users must remain vigilant and proactive in securing their systems.