Cyber News

New Backdoor Unveiled in Atomic macOS Stealer, Allowing Remote Access Control

The notorious macOS Stealer (AMOS) has undergone a significant evolution, equipping itself with a new persistent backdoor that enables cybercriminals to achieve long-term, remote control over compromised Apple computers.

As detailed by Moonlock Lab, the security research arm of MacPaw, this move transforms AMOS from a conventional infostealer into a sustained national security threat, capable of executing commands and surveilling victims across over 120 countries, including the U.S., U.K., France, Italy, and Canada.

Persistent Backdoor Extends Threat Scope

Previously, AMOS was best known for stealing sensitive data like browser credentials and cryptocurrency wallets.

Now, its new backdoor escalates the threat by allowing attackers to maintain access across device reboots and silently execute commands or deploy further payloads.

Victims are primarily ensnared through spear-phishing, often tailored to cryptocurrency holders and freelancers such as artists, or via websites distributing pirated software.

Attackers masquerade as employers or service providers, convincing victims to install trojanized DMG files under the guise of job application processes that require screen sharing.

This social engineering trick typically involves requesting system passwords, unwittingly granting attackers deep privileges.

Technical Deep Dive: Evasion and Persistence

Once infiltrated, AMOS unleashes a two-pronged stealth mechanism on the victim’s system:

A hidden binary named .helper is stashed within the user’s home directory, remaining invisible to most users.
A wrapper script guarantees the continued execution of the malicious process.

To entrench itself at every startup, AMOS deploys a LaunchDaemon labeled com.finder.helper Through AppleScript, leveraging stolen credentials for system-level persistence.

This daemon ensures the malware survives system reboots, an unprecedented step up from past infostealers.

Further complicating detection, the malware communicates with command-and-control (C2) servers via obfuscated HTTP POST requests every 60 seconds, efficiently receiving remote tasks.

The code employs string obfuscation and runs checks for sandbox or virtual machine analysis with Apple’s system_profiler tool, heightening its evasion tactics.

Implications and the Road Ahead

AMOS’s architecture marks a pivotal shift in macOS threats, echoing attack strategies previously seen in North Korean cyber campaigns.

Security researchers, including those at PolySwarm, warn that the malware-as-a-service may soon incorporate keylogging and additional surveillance features.

AMOS’s Russian-speaking authors appear focused on long-haul system compromise, offering attackers a foothold for future operations and lateral movement within networks.

In response to AMOS’s relentless evolution, experts urge macOS users to adopt robust endpoint protections, avoid pirated software, and remain vigilant against phishing attempts.

As AMOS redefines the macOS threat landscape, heightened security awareness remains the first line of defense.