Amos

Malware updated 2 months ago (2024-07-09T13:17:50.980Z)

Download STIX

Preview STIX

AMOS is a malicious software (malware) that targets Mac systems, with the ability to steal passwords, personal files, and cryptocurrency wallet information. It was first identified as part of the ClearFake campaign, which aimed to spread the macOS AMOS information stealer. The malware can infect both Intel and Apple M1 Macs, indicating a broad vulnerability among users. Once installed, typically through deceptive downloads offered on various project webpages, it acts as an "infostealer," compromising user data and operations. The threat actor known as “markopolo” has been identified as a significant operator in the distribution of AMOS, using a purported virtual meeting software called Vortax to deliver three potent information stealers—Rhadamanthys, Stealc, and Atomic macOS Stealer (AMOS). This campaign has far-reaching implications for macOS security, suggesting a potential surge in AMOS attacks. Research indicates that other operators of AMOS will likely model future campaigns after markopolo's success, potentially leading to a wider proliferation of AMOS in the wild. Tools such as Recorded Future Identity Intelligence and Brand Intelligence provide insights into compromised credentials from AMOS infostealer logs, database breaches, and combo lists. These tools, combined with Recorded Future Network Intelligence, help identify malicious domains and IP addresses associated with AMOS builds. Clients can use Recorded Future Malware Intelligence to identify and mitigate threats from malicious macOS applications, analyzing connections to AMOS C2 infrastructure. A previous report by Insikt Group observed a 79% increase in mentions of macOS malware and exploit kits between 2022 and 2023, a trend likely accelerated by the increased use of the AMOS infostealer.

Description last updated: 2024-07-09T13:16:51.945Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Atomic Stealer	4	Atomic Stealer is a type of malware designed to exploit and damage computer systems, particularly those operating on macOS. It infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even
Atomic Macos Stealer	3	The Atomic macOS Stealer (AMOS) is a powerful new malware that emerged in early 2023, targeting Apple users. It was discovered by Cyble Research and Intelligence Labs (CRIL) in April of the same year when it was advertised for sale on Telegram. AMOS can steal various types of information from infect
Amos Stealer	3	AMOS Stealer is a type of malware that has been causing significant concern due to its adaptability and ability to leverage legitimate services for malicious purposes. This new variant of the AMOS Stealer bears a high degree of similarity to the 2nd variant of RustDoor, particularly in its use of Ap
Clearfake	3	ClearFake is a malicious software (malware) that has been identified as a significant threat to computer systems, specifically targeting macOS through an information stealer known as AMOS. This malware operates by compromising legitimate websites with harmful HTML and JavaScript, masquerading as a f

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Macos

Windows

Payload

Infostealer

Malvertising

Safari

Vulnerability

Chrome

Malwarebytes

1password

Exploit

Android

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Vidar	is related to	2	Vidar is a type of malware specifically designed to infiltrate and exploit Windows-based systems. It's written in C++ and is based on the Arkei stealer, which means it has the capability to steal personal information from infected devices. Vidar has been found impersonating legitimate software appli
Lumma	Unspecified	2	Lumma is a malicious software, or malware, known for its hard-to-detect nature. It primarily targets cryptocurrency wallets, two-factor authentication browser extensions, and other sensitive information on a victim's device. Lumma operates by exploiting vulnerabilities in systems, such as the Micros
Rhadamanthys	Unspecified	2	Rhadamanthys is a type of malware, specifically an information stealer, that has been used in cyber attacks against various organizations. It was initially disseminated through phishing and spam emails before the authors switched to using malicious advertisements as the primary infection vector. Thi

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
ELECTRUM	Unspecified	2	Electrum is a threat actor that has been implicated in numerous cyber attacks, including those against Ukraine on February 1, 2022. These attacks were Bitcoin-themed and involved Electrum Bitcoin wallets, with similarities observed in later attacks conducted in April of the same year. The delivery m

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
Atomic Macos Stealer (Amos	Unspecified	4	None

Source Document References

Information about the Amos Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	9 months ago	Hackers Bypass Apple's Checks to Deliver Malicious Keyboards Used to Spy on Users: Report
CERT-EU	6 months ago	AMOS macOS Stealer Steals Particular Files on the System & Browser Data
Recorded Future	2 months ago	Cybercriminal Campaign Spreads Infostealers, Highlighting Risks to Web3 Gaming \| Recorded Future
Recorded Future	2 months ago	The Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications \| Recorded Future
InfoSecurity-magazine	3 months ago	Fake Meeting Software Spreads macOS Infostealer
Recorded Future	3 months ago	The Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications \| Recorded Future
Securityaffairs	3 months ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	4 months ago	GitCaught campaign relies on Github and Filezilla to deliver multiple malware
InfoSecurity-magazine	4 months ago	Russian Actors Weaponize Legitimate Services in Multi-Malware Attack
Securityaffairs	4 months ago	Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	4 months ago	Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
Recorded Future	5 months ago	Cybercriminal Campaign Spreads Infostealers, Highlighting Risks to Web3 Gaming \| Recorded Future
Securityaffairs	5 months ago	Security Affairs newsletter Round 466 by Pierluigi Paganini
Securityaffairs	5 months ago	Security Affairs newsletter Round 465 by Pierluigi Paganini
Securityaffairs	5 months ago	Security Affairs newsletter Round 464 by Pierluigi Paganini
Securityaffairs	6 months ago	Security Affairs newsletter Round 463 by Pierluigi Paganini
DARKReading	6 months ago	Windows SmartScreen Bypass Flaw Exploited to Drop DarkGate RAT
CERT-EU	6 months ago	Implement Automated Threat Intelligence for Improved Incident Response \| #cybercrime \| #infosec \| National Cyber Security Consulting