🗞️ We couldn't fit our analysis of a new #AMOS #macOS #backdoor into a thread here, so we published a whole article!.We appreciate @SANSInstitute, @BleepinComputer, and others for sharing it! Give it a read! .

@g0njxa @patrickwardle @philofishal @L0Psec @shablolForce @theevilbit @theJoshMeister @DefSecSentinel @suyog41 @bruce_k3tta @birchb0y @RussianPanda9xx @txhaflaire @AndreGironda @500mk500 We've uploaded the samples to MalwareBazaar:.1. 2.

RT @patrickwardle: New macOS Stealer "Mac.C" by mentalpositive 🍎👾 . Read "Mac.c Stealer Takes on AMOS" (by @moonlock_com / @MacPaw). https….

@g0njxa cc @patrickwardle @philofishal @L0Psec @shablolForce @theevilbit @theJoshMeister @DefSecSentinel @suyog41 @bruce_k3tta @birchb0y @RussianPanda9xx @txhaflaire @AndreGironda @500mk500.

@g0njxa IOC (network):.https[://]kgogowfwef[.]live/api/download/applescript?tag=release.https[://]kgogowfwef[.]live/api/download/macho?tag=release.https[://]kgogowfwef[.]live/api/download/macos/release.

@g0njxa IOC (files):.37364c17e1bedbcf2d6fa4cde5195f00fc5b328383173a931d568ab74b3893ed.749c44846ca9d18518ecae08e36c8086038d96b0e056767753040d5a2012a69d.393acc8ef94ab8ba0abf7a769e451d5434d4acdbda0b60966bfac4b40e4d6875.

@g0njxa 7/7: For the full deep dive on 'mentalpositive' and his mac.c's evolution, check our article on @hackernoon: .

@g0njxa 6/7: Not the flashiest stealer out there, but it's the cheapest on the market. And now it seems price matters for some traffer teams. mac.c borrows from AMOS but carves its own niche in the macOS infostealer scene.

@g0njxa 5/7: Digging into the AppleScript (stage 3): at first glance, it screams AMOS: credential theft, browser data grabs, crypto wallet harvesting, file exfil. But then. this string jumps out: "mac.c macOS Stealer". Bingo! This points straight to the 'mentalpositive' threat actor.

@g0njxa 4/7: Then comes the second loader, which is all about stealth. It kills Terminal, downloads an AppleScript payload via curl, and throws up a fake dialog: "Your Mac does not support this application. "' to fool users.

@g0njxa 3/7: First stage: a sneaky curl command drops the initial loader. This sets the stage for more fun. Clears attributes, makes it executable, and runs it. Classic evasion vibes.

@g0njxa 2/7: The infection chain consists of 3 stages, probably contributing to further adaptability and possible changes to any of them to avoid quick detection by security vendors. Additionally, the ‘tag=release’ URL anchor could mean several versions ready to be shipped.

1/7: Our fellow researcher @g0njxa shared juicy info with us: a real #ClickFix-style find! A fake "Installation Instructions" pop-up pushes users to run a malicious bash command via Terminal. We couldn’t resist checking it, and what we uncovered? A multi-stage #macOS #stealer 👇

cc @ESETresearch @patrickwardle @philofishal @L0Psec @theevilbit @DefSecSentinel @bruce_k3tta @birchb0y @txhaflaire.

4/4: The spike on the chart suggests that threat actors behind macOS stealers may have ramped up distribution or bundled the backdoor into more droppers. In case one is not protected with timely updates of antivirus software – the backdoor is likely to remain on their system.

3/4: We already described a complete infection chain in our latest article: Here is, again, a small part of how the LaunchAgent creation flow looks like, for users and security specialists to stay aware, and eliminate them from infected systems:

2/4: MacOS stealers have long been known for their constantly updating techniques, but with the addition of backdoor - they are now among the most harmful malware for Apple computers. The number of detections of LaunchAgents, dropped by AMOS, has been increasing in the wild . .

1/4: Earlier this month, our team published an article dissecting a new #backdoor variant hidden inside the #AMOS #macOS malware. Since then, we've observed a sharp 300% increase in detected AMOS samples targeting our users. Let us explain why it matters 👇

RT @moonlock_com: MacPaw’s Moonlock team at Objective by the Sea #OBTS v8.0!.This October, Kseniia and Nazar will speak at the world’s lead….

We also thank @g0njxa for contributing his insights!.Tagging those who might be interested in further research: @patrickwardle @philofishal @L0Psec @shablolForce @theevilbit @theJoshMeister @DefSecSentinel @suyog41 @bruce_k3tta @birchb0y @RussianPanda9xx @txhaflaire @AndreGironda.