Summary:
Researchers at Malwarebytes have uncovered an updated version of Atomic Stealer, an information stealer designed to target macOS systems. The update was made in mid December, 2023, where authors behind the malware introduced a new payload encryption routine designed to hide certain strings that were previously used for detection and identifying the C2 server. With Atomic Stealer’s code now being obfuscated, this makes it challenging for antivirus solutions to detect it. Soon after the update was made, authors behind the malware were observed promoting the stealer on their Telegram channel, where interested buyers could purchase the tool for $2000. Since then, a malwaretising campaign has followed suit, with cybercriminals distributing the updated stealer either via software cracks or malicious ads masquerading as applications including Slack, a popular communication tool.

Security Officer Comments:
Atomic Stealer was first spotted in the wild in April 2023. Since then it has become a popular tool employed by cybercriminals to harvest sensitive information from targeted systems including keychain passwords, session cookies, files, crypto wallets, system metadata, as well as system credentials via fake prompts. Authors behind the malware have actively made updates to the stealer since initiating operations. The latest addition of an encryption routine to obfuscate the C2 server used to receive stolen information will enable actors to exfiltration data without much hassle.

Suggested Corrections:
Users should avoid downloading cracked software as these are typically embedded with malicious code designed to enable actors to compromise targeted systems. The use of Google ads remains a popular tactic employed by actors to spread malware like Atomic Stealer. In general, when searching for applications, users should avoid clicking on results are are labeled “sponsored.”

Link(s):
https://thehackernews.com/2024/01/atomic-stealer-gets-upgrade-targeting.html