A fake webpage impersonating a popular and free archive unpacking app was recently discovered spreading in the wild.
In a tactic that continues to play out time and time again, fake websites that use Google Ads to promote traffic continue to pop up. This tactic, which has been common for Windows users for decades, has pivoted to target Apple users in the past year. In fact, 2023 and 2024 set all-time highs for the distribution of macOS malware, especially info stealers.
Info stealers like AMOS are on the rise. These are sold on online black markets and promoted as as easy-to-use malware-as-a-service products, lowering the technical requirement bar that attackers need to breach a macOS.
A fake app, a fake site, and a familiar info stealer
On July 30, Hunt.io published a technical digital forensic report on their investigation into the distribution of a new piece of macOS malware. Researchers from Hunt.io analyzed a campaign that impersonated the well-known app The Unarchiver by MacPaw.
Researchers found, after looking into the file they downloaded from tneunarchiver[.]com — a single letter different from the legitimate site — that the disk image was malicious. More concerningly, the malware raised no red flags when scanned on VirusTotal. This means that security vendors were not aware of this threat at the time.
However, this malware is not new. Instead, it seems to be a version of AMOS.
As previously mentioned, criminals license or rent out AMOS on the dark web, usually on a monthly basis. As the stealer increases in popularity due to its attack capabilities, numerous different versions are being discovered in the wild. By now, AMOS has surely been reverse-engineered by other bad actors.
Bad actors targeting Mac users are flying under the radar
The Hunt.io investigation also found other interesting characteristics. For example, the lack of alarms that this malware raised in the standard security community is significant.
Other than a single link buried deep inside the info stealer, all the other sites and files linked to the malware distribution were undetected by scams and browser warnings. This means that attackers are flying under the radar and could be developing new versions to become ever more stealthy.
Just like AMOS, this malware seems to include common info stealer capabilities, such as password and credential exfiltration tactics or crypto wallet breach code. The investigation also found a communication path coded in the malware to link the breached device with a C2 server controlled by the bad actors.
Motive, attribution, and distribution tactics
This campaign does not seem to target any specific small group of users. Rather, it goes after Mac users in general. As such, the motive behind this campaign can only be financial gain.
Additionally, Hunt.io found Russian-language text in some of the info stealer’s files. Other than that, there is no evidence to identify who is posing as The Unarchiver online.
This type of campaign, while illegal, does not fall within the most concerning attacks being carried out today by nation-state-supported actors, DDoS hacktivists, or ransomware gangs. This does not mean that this malware and its distribution tactics aren’t a real danger.
These attackers aren’t reinventing the wheel when it comes to distribution tactics. Offering online cracked versions of popular software, or pretending to be the legitimate software itself, is a social engineering technique that dates back to the days of the first viruses for Windows.
Mac users, who haven’t had to face these risks until recent years, must now endure the perils of downloading software and apps online.
It is noteworthy to mention that the distribution tactic that this malware used is identical to common distribution tactics in previous attacks and campaigns.
How many Atomic Stealer AMOS attacks have there been?
According to SpyCloud, a US-based cybersecurity company, AMOS was discovered in April 2023, and new versions have been emerging ever since.
SpyCloud said they took in 214,369 total records from 1,491 unique Atomic Stealer infections between October 2023 and January 2024.
To grasp the real number of attackers using this dangerous macOS malware, we would have to add all the 2024 attacks as well as estimate the attacks that have been undetected. One thing is certain, the number rises to the hundreds of thousands of AMOS campaigns.
Patching up different versions of AMOS or exposing every attack and campaign that leverages AMOS is a reactive Whac-A-Mole tactic that has no end. It appears that the only solution to this problem would be intervention by law enforcement.
The solution is to go straight to the source of this problem. In this case, that means the groups that are making and selling the AMOS stealer to attackers.
Note: By the time this report was submitted for publication, all the websites and IPs identified by Hunt.io’s investigation were no longer active.
Tips for your security
In the end, the security of your data and your Mac depends largely upon you. Never download software from unofficial sources. Instead, use the Apple App Store or carefully investigate any app or program before you download it. Additionally, double-check the URL.
The Unarchiver is available on the official MacPaw website or the product website.
Because cybercriminals use Google Ads to promote fake sites, make a habit of not clicking on those at all.
Finally, always enable multi-factor authentication and keep your Apple devices up to date with the latest security patches.
If a threat does end up on your Mac, use reliable anti-malware tools to limit the damage. CleanMyMac’s Malware Removal module, powered by Moonlock Engine, has been updated to detect the latest version of this stealer.
This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. or Google LLC. Mac and macOS are trademarks of Apple Inc. Google Ads is a trademark of Google LLC.
