[[{“value”:”
A sophisticated new variant of the AMOS macOS stealer has emerged, demonstrating unprecedented levels of technical sophistication in its distribution and obfuscation methods.
The malware leverages GitHub repositories as distribution platforms, exploiting the platform’s legitimacy to bypass security measures and target unsuspecting macOS users with cryptocurrency theft capabilities.
The latest campaign involves a multi-layered attack chain that begins with malicious DMG files hosted on GitHub repositories, specifically targeting users seeking legitimate applications.
The malware employs advanced obfuscation techniques including multiple layers of base64 encoding, XOR encryption, and custom alphabets to evade detection by traditional security solutions.
Once executed, the stealer deploys both x64 and ARM64 versions to ensure compatibility across different Mac architectures.
Jason Reaves, a malware researcher, Crimeware Threat Intel, Reverse Engineer at Walmart, identified this sophisticated campaign while tracking recent AMOS activities.
His analysis revealed that the malware sample 9f8c5612c6bfe7ab528190294a9d5eca9e7dec3a7131463477ae103aeec5703b represents a significant evolution in the threat’s capabilities, incorporating advanced evasion techniques previously unseen in macOS malware campaigns.
The attack vector primarily focuses on cryptocurrency wallet users, with the malware masquerading as legitimate applications such as Ledger Live to steal seed phrases and private keys.
The campaign demonstrates remarkable persistence, with threat actors quickly establishing new repositories when previous ones are taken down by GitHub’s security teams.
.webp)
This cat-and-mouse dynamic highlights the challenges faced by platform providers in combating sophisticated threat actors who abuse legitimate services for malicious purposes.
Advanced Obfuscation and Decoding Mechanisms
The technical sophistication of this AMOS variant lies in its multi-stage obfuscation process that involves three distinct decoding layers.
The initial payload contains an obfuscated shell script that undergoes base64 decoding followed by XOR operations using hardcoded keys.
The deobfuscation process reveals an AppleScript component that searches for mounted volumes containing “touchlock” before executing the primary payload.
.webp)
The core decoding algorithm implements a sophisticated three-block system where equal-sized data blocks undergo mathematical operations.
The algorithm processes every double-word (dword) through subtraction and XOR operations, as demonstrated in the extraction code: a = (a - d) & 0xffffffff; a ^= c.
This mathematical approach generates a custom base64 alphabet xtk1IbLCo9pQgDwBKNl_Pa*Z-J40zOiEr&5n8s=R!dAG%$<SF@#+)eT2hcH?ufVy used for subsequent payload decoding.
The malware’s persistence mechanism involves copying the .touchlock file to the temporary directory, removing extended attributes using xattr -c, and executing with elevated permissions.
Command and control communications utilize multiple domains including heathlypet[.]com, isnimitz[.]com, and several IP addresses spanning 45.94.47[.]136 and 85.192.49[.]118.
This distributed infrastructure approach ensures operational continuity even when individual nodes are compromised or taken offline.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access
The post AMOS macOS Stealer Hides in GitHub With Advanced Sophistication Methods appeared first on Cyber Security News.
“}]]
Read More Cyber Security News