Full Report
Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems. [...]
Analysis Summary
# Tool/Technique: Atomic macOS Infostealer (with Backdoor Addition)
## Overview
The Atomic macOS infostealer has reportedly been updated to include a persistent backdoor mechanism. This evolution suggests that attackers are targeting macOS users with increasingly sophisticated methods, aiming for long-term access and remote control after the initial information theft.
## Technical Details
- Type: Malware family (Infostealer with integrated Backdoor)
- Platform: macOS
- Capabilities: Information theft, remote command execution, keystroke logging, payload delivery, defensive evasion.
- First Seen: Not explicitly stated in the provided text, but represents an evolution of the existing Atomic infostealer.
## MITRE ATT&CK Mapping
*Note: Mappings are inferred based on the described backdoor capabilities.*
- **TA0011 - Command and Control**
- **T1071 - Application Layer Protocol** (Implied, for remote command execution)
- **TA0003 - Persistence**
- **T1547.004 - T1547.004 - Registry Run Keys / Startup Folder** (Using LaunchDaemon for startup execution)
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information** (String obfuscation observed)
- **TA0002 - Execution**
- **T1059.006 - T1059.006 - Command and Scripting Interpreter: macOS and OS X Shell** (Implied via remote command execution)
## Functionality
### Core Capabilities
The core backdoor, executed by the binary named **'.helper'**, allows threat actors to:
* Execute remote commands on the compromised system.
* Log keystrokes.
* Introduce additional malicious payloads.
* Facilitate lateral movement exploration.
### Advanced Features
* **Persistence Mechanism:** Achieved via a wrapper script named **'.agent'** which continuously executes '.helper' in a loop as the logged-in user.
* **Startup Execution:** Ensured via a **LaunchDaemon (com.finder.helper)** installed using AppleScript, which runs '.agent' at system startup.
* **Privilege Escalation:** The installation of the LaunchDaemon uses the **user's password stolen during the initial infection phase** to run with elevated privileges.
* **Ownership Modification:** The malware can change the ownership of the LaunchDaemon PLIST file to **'root:wheel'** (superuser level on macOS).
* **Evasion:** Checks for sandbox or virtual machine environments using the **'system_profiler'** tool and employs **string obfuscation**.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names:
- Backdoor executable: `.helper`
- Persistent wrapper script: `.agent`
- LaunchDaemon identifier: `com.finder.helper`
- Registry Keys: [N/A - Uses macOS LaunchDaemon/PLIST]
- Network Indicators: [Not sufficiently detailed for defanging, focusing on internal artifacts]
- Behavioral Indicators:
- Installation of a LaunchDaemon configured to run upon system startup.
- Execution loop involving the `.agent` script calling the `.helper` binary.
- Use of `system_profiler` to check for sandbox/VM environments.
- Modification of LaunchDaemon PLIST ownership to `root:wheel`.
## Associated Threat Actors
- [Not explicitly named in the provided text, but associated with the evolution of the "Atomic" macOS infostealer tooling.]
## Detection Methods
- Signature-based detection: Targeting the known executable names (`.helper`, `.agent`) and the LaunchDaemon identifier (`com.finder.helper`).
- Behavioral detection: Monitoring for suspicious process execution chains involving AppleScript installation of persistent services, especially those involving privilege elevation via stolen user credentials. Detecting the use of `system_profiler` as part of a malware execution chain.
- YARA rules if available: [Not provided in the text]
## Mitigation Strategies
- Prevention measures: Strong credential hygiene to prevent the theft and subsequent use of user passwords for privilege escalation.
- Hardening recommendations: Regularly audit LaunchDaemons and Login Items for unauthorized entries, especially those running as root or the logged-in user. Ensure least privilege principles are enforced.
## Related Tools/Techniques
- Atomic macOS Infostealer (The precursor malware focusing on information theft).