Amos

Malware Profile Updated 4 days ago
Download STIX
Preview STIX
AMOS is a malicious software (malware) that has been specifically designed to target Mac systems, both Intel-based and ARM-based. It is capable of stealing passwords, personal files, and information from crypto wallets, posing a significant threat to user security. AMOS was first identified as part of the ClearFake campaign, where it was used as an information stealer. The malware operates by impersonating legitimate macOS applications like CleanShot X, 1Password, and Bartender, redirecting users to a GitHub profile "papinyurii33" to download macOS installation media, which results in an AMOS infostealer infection. The Insikt Group discovered a website distributing AMOS malware alongside another malware called Rhadamanthys, under the guise of legitimate software. During their investigation, they identified twelve domains falsely advertising downloads of legitimate macOS applications but instead led victims to the GitHub profile distributing AMOS. This campaign, tracked as GitCaught, exploited trusted internet services to carry out cyberattacks that steal personal information. The attackers also used the GitHub profile to distribute other malwares such as Atomic macOS Stealer (AMOS), Lumma, Octo, and Vidar. The GitHub account hosted several files beyond AMOS, including droppers for Windows-based Lumma and Vidar stealers, as well as the Octo Android banking trojan. Despite these activities, one repository named "22" had not received any malware submissions since early February 2024. Interestingly, all versions of AMOS hosted on the account performed HTTP POST requests to the endpoint /psp. In the file paths for other known endpoints for AMOS, such as /sendlog and /joinsystem, the user HTTP POST variable supplied in the command and control (C2) communications was the username associated with the threat actor's AMOS subscription.
What's your take? (Question 1 of 5)
054b9d2b-1602-4f5d-9afb-8e32ce20b181 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Atomic Stealer
4
The Atomic Stealer, also known as AMOS, is a malicious software designed to exploit and damage macOS devices. This malware is delivered through a malvertising campaign that uses deceptive tactics to infect systems. The malware infiltrates devices disguised as a Safari update, with the intent of exfi
Clearfake
3
ClearFake is a malware that has been identified as a significant threat to macOS systems. The malicious software, typically delivered through suspicious downloads, emails, or websites, infiltrates the user's system without their knowledge and can steal personal information, disrupt operations, or ho
Amos Stealer
3
AMOS Stealer is a type of malware that has been causing significant concern due to its adaptability and ability to leverage legitimate services for malicious purposes. This new variant of the AMOS Stealer bears a high degree of similarity to the 2nd variant of RustDoor, particularly in its use of Ap
Atomic Macos Stealer
2
Atomic macOS Stealer (AMOS), a powerful new malware, was launched in early 2023 and has quickly become a significant threat to Apple users. In April of the same year, Cyble Research and Intelligence Labs (CRIL) discovered a Telegram channel advertising this information-stealing malware. AMOS is capa
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Macos
Telegram
Payload
Malvertising
Infostealer
Windows
Vulnerability
Malwarebytes
Android
1password
Chrome
Safari
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LummaUnspecified
2
Lumma is a type of malware, specifically an information stealer, known for its sophisticated tactics in cyber threats, including the exploitation of the undocumented Google OAuth2 MultiLogin endpoint. In late November 2023, BleepingComputer reported on Lumma's ability to restore expired Google authe
VidarUnspecified
2
Vidar is a malware variant that first emerged in 2018 as a derivative of the Arkei malware. It is a Windows-based infostealer written in C++, and it has been used extensively by cybercriminals to steal sensitive information from compromised systems. Vidar, like other infostealers such as LummaC2, is
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ELECTRUMUnspecified
2
Electrum is a threat actor that has been associated with various cyber-attacks, including those against Ukraine on February 1, 2022. These attacks were Bitcoin-themed and involved the use of Electrum Bitcoin wallets, with similarities observed in later attacks carried out in April. The initial loade
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Atomic Macos Stealer (AmosUnspecified
3
None
Source Document References
Information about the Amos Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
New AMOS Mac malware targets passwords, personal files, crypto wallets
CERT-EU
a year ago
PSA: 'Atomic macOS Stealer' malware can compromise iCloud Keychain passwords, credit cards, crypto wallets
CERT-EU
6 months ago
Search | arXiv e-print repository
CERT-EU
a year ago
Hackers are Selling a new Atomic macOS (AMOS) Stealer on Telegram
CERT-EU
6 months ago
PSA: Watch out for these fake Safari and Chrome updates infecting Macs with AMOS - 9to5Mac
Malwarebytes
9 months ago
Mac users targeted in new malvertising campaign delivering Atomic Stealer
InfoSecurity-magazine
16 days ago
Russian Actors Weaponize Legitimate Services in Multi-Malware Attack
CERT-EU
a year ago
Anomali Cyber Watch: APT37 Adopts LNK Files, Charming Kitten Uses BellaCiao Implant-Dropper, ViperSoftX Infostealer Unique Byte Remapping Encryption
CERT-EU
6 months ago
Kaspersky crimeware report: FakeSG, Akira and AMOS
Securityaffairs
10 days ago
GitCaught campaign relies on Github and Filezilla to deliver multiple malware
CERT-EU
8 months ago
GUEST ESSAY: Caring criminals — why some ransomware gangs now avoid targeting hospitals | The Last Watchdog
CERT-EU
6 months ago
GUEST ESSAY: Steps to leveraging ‘Robotic Process Automation’ (RPA) in cybersecurity | The Last Watchdog
CERT-EU
a year ago
GUEST ESSAY: Dialing in generative AI to truly relieve and assist cybersecurity professionals | The Last Watchdog
CERT-EU
5 months ago
GUEST ESSAY: The case for using augmented reality (AR) and virtual reality (VR) to boost training | The Last Watchdog
Malwarebytes
3 months ago
No “Apple magic” as 11% of macOS detections last year came from malware | Malwarebytes
Securityaffairs
6 months ago
ClearFake campaign spreads macOS AMOS information stealer
Securityaffairs
9 months ago
A malvertising campaign is delivering a new version of macOS Atomic Stealer
CERT-EU
8 months ago
GUEST ESSAY: Caring criminals — why some ransomware gangs now avoid targeting hospitals
CERT-EU
6 months ago
GUEST ESSAY: Adopting an ‘assume-breach mindset’ to defend company networks in 2024 | The Last Watchdog
CERT-EU
a year ago
GUEST ESSAY: Making the case for leveraging automation to eradicate cybersecurity burnout | The Last Watchdog