A naukri.com initiative
Sentinelone
2M
413
Image Credit: Sentinelone
From Amos to Poseidon | A SOC Team’s Guide to Detecting macOS Atomic Stealers 2024
- Amos Atomic is one of the most successful malware-as-a-service (MaaS) offerings that primarily targets Mac users, and it has evolved and expanded into several other malware options.
- What distinguishes the current family of these Malware-as-a-service providers from those which have targeted Apple's desktop operating system in the past is their highly sophisticated distribution methods, which target a broad range of enterprise applications instead of being restricted to cracked games and user productivity apps.
- These Atom InfoStealer variants come with different file characteristics, with some being written in Go, Objective-C, and C++, among others.
- Among the most prevalent variants of these stealer families found throughout 2024 are Banshee, Cthulu, Poseidon, and RodrigoStealer.
- Many of these variants have taken various approaches to obscuring the code, such as base32 encoding, hex-encoded strings, pulling 2nd-stage AppleScript files from remote servers, and chunk-splitting strings.
- Some of the characteristics of different types of these atomic stealer variants have been documented in the post, with evidence of capsule strings and RC4-encoded hex strings to obfuscate AppleScript commands and C2 URLs for fetching payloads.
- Users are tricked into allowing permissions and giving away their admin passwords for the system via the use of various AppleScript dialogs.
- Organizations without enterprise security systems are urged to review the indicators of compromise offered through the post to keep their systems protected.
- SentinelOne detects all variants of the atomic stealer through a multi-engine platform that combines static and dynamic Artificial Intelligence; both are aimed at stopping the threats pre-execution and on-execution.
- The post cautions that despite how unprecedented the number of variants of the atomic stealer is on the macOS malware scene, it is not the only infostealer currently visiting unsuspecting users in the wild.
Read Full Article
24 Likes
For uninterrupted reading, download the app