Atomic macOS Stealer Malware Can Steal Keychain Info, Files, Browser Wallets and More

[Razorpit]

Is now a good time to talk about that hilarious thing that Apple calls macOS firewall?

If you are running macOS you should really be running Lulu or something similar.

(this matters because you will be prompted about outgoing connection attempt)

I played around with Little Snitch years ago. The problem I have with these apps is that how do you know what a “good connection“ is from a “bad connection“ anymore? Now a days the simplest of applications reaches out and talks to a multitude of things. How would someone like “our older family members” be able to use something like either Little Snitch or Lulu? I can just image getting a phone call every 15 minutes from my dad.

Most apps I want to side load are open source emulators and I can compile them myself

How does that help? Do you go through each and every line of code? If someone were to inject malware in to the uncompiled code, wouldn’t that compromise get rolled in to the compiler? Or does it fail because those needed dependencies(?) aren’t there?

Well written apps don’t require one to enter their passwords. These days, I’d say anyone entering a password (for an app that’s not malware) is doing so because the app does a thing not supported by Apple’s API’s (which, while it’s a shrinking list, will never be zero). A person that’s never used a Mac before (don’t have legacy apps doing legacy things) that buys a Mac today won’t see a password entry screen very often.

You sure that list is shrinking? Seems like Apple is consistently tightening things down. I use Parallels, JumpDesktop, and Logitech Options quite regularly and forced to type in my password during updates.

Sounds more like you should have a "user" account and an admin account for installation of apps. There is a LOT of people that don't do this - especially on Windows.

How does that help? Sure, it makes it slightly more inconvenient to install, but even with the admin account once you install malware with your admin account it’s there for good. Doesn’t matter if you switch over to your user account.

 

[Choco Taco]

Sounds more like you should have a "user" account and an admin account for installation of apps. There is a LOT of people that don't do this - especially on Windows.

This accomplishes absolutely nothing if you still have to put in the admin username and password to install it. That advice is more geared toward Windows, not macOS. macOS is already designed to prevent most dumb things from happening, but nothing is going to prevent someone from manually doing things they shouldn’t.

 

[burgman]

OK, again, some GOVs are forcing the issue just like USB-C. So before the world is destroyed by adopting this terrible change dooming us all, slower moving countries will get the great benefit of observing the devastation of select countries who go there first.

After witnessing their utter demise as nations, smarter countries may opt to not destroy themselves too by leaving things as is.

Bottom line: no worries except for those poor innocents with iDevices in those countries with leaders who are forcing this first. We can all cry and pray for those doomed souls that even mighty Apple could not save due to foolish elected officials trying to force a basic concept of Capitalism that generally is crucial to most favorably managing the consumer end of all transactions.

I already weep for those poor millions myself.

The horror, millions of lives destroyed because of USB-C, Tucker is that you?

 

[HobeSoundDarryl]

Only Millions? Clearly it will be BILLIONS if Apple loses hold of exclusive seller, taking a cut of every app sold in the App Store. It's over folks. Armageddon is here.

Look at what happened when our Macs were free to install software from sources other than Apple. Did any of us Mac users survive that disaster? Does anyone know someone who dared to install an app from- say- the author of the app instead of getting it only from Apple (and cutting Apple in for their big slice)? I heard a few such people did do that and were able to re-assemble their life after much devastation & hardship. Hopefully it will be the same here.

I've heard it only takes as little as 80 viable mating pairs to rebuild a devastated humanity. Hopefully 160 or so humans can resist the temptation to get phone apps from anyone other than Apple.

 

[Unregistered 4U]

People say this until it is one of their own who becomes a victim of zero click attacks and malware.

Or themselves. No one has any idea what their neurological future holds.

 

[Unregistered 4U]

You sure that list is shrinking? Seems like Apple is consistently tightening things down. I use Parallels, JumpDesktop, and Logitech Options quite regularly and forced to type in my password during updates.

Yes, the list is shrinking. Certain apps that would have not been supported for App Store distribution a few years ago now are, because there are supported methods to perform those functions such that they don’t have to install their own libraries. Of course, some things will never be supported by Apple, so any app using those methods will continue to indefinitely. In addition, developers are still free to create their own libraries and methods in order to differentiate themselves from their competitors. A password shouldn’t be required for keyboards/mice, but if Logitech is able to get their users to use passwords, then good on them!

 

[skottichan]

I find it kind of amusing how I see the parroting of the “oh just be cautious of what you download, you don’t need to use the App Store”. Not all that long ago, I remember there was a fiasco where bad actors re-laced the legit .DMG for Transmission with a version that had malware baked into it. So even with the right amount of due dilligence, an average user a get nailed (of course the tech kings on this site are too smart to ever get played).

Transmission hijacked again to spread malware | Malwarebytes Labs

In this article, we take a look at a couple important takeaways from 2 recent hacks on Transmission.

www.malwarebytes.com

 

[Starscape]

I find it interesting that the malware seller‘s name/profile was blurred out so as to protect his/her identity, and yet the malware seller makes money by illegally harvesting information from unsuspecting computer users.

 

[Razorpit]

I find it kind of amusing how I see the parroting of the “oh just be cautious of what you download, you don’t need to use the App Store”. Not all that long ago, I remember there was a fiasco where bad actors re-laced the legit .DMG for Transmission with a version that had malware baked into it. So even with the right amount of due dilligence, an average user a get nailed (of course the tech kings on this site are too smart to ever get played).

Transmission hijacked again to spread malware | Malwarebytes Labs

In this article, we take a look at a couple important takeaways from 2 recent hacks on Transmission.

www.malwarebytes.com

Handbrake had a similar incident.

Popular video-encoding Mac app HandBrake compromised with malware

Here’s how to find and fix the Trojan

www.techradar.com

 

[DeepIn2U]

This accomplishes absolutely nothing if you still have to put in the admin username and password to install it. That advice is more geared toward Windows, not macOS. macOS is already designed to prevent most dumb things from happening, but nothing is going to prevent someone from manually doing things they shouldn’t.

No.

The dumb thing is to think like this for macOS. ANY user account used as a primary that is ALSO an admin account is not a smart move - not on ANY OS. Clickity-click installs doesn't prompt nor make you THINK twice about installations if your account being used IS the admin account and your primary and ONLY account on the OS.

Sure some applets don't require admin access ... but maybe that's something that SHOULD change, period.

 

[DeepIn2U]

How does that help? Sure, it makes it slightly more inconvenient to install, but even with the admin account once you install malware with your admin account it’s there for good. Doesn’t matter if you switch over to your user account.

For the simple thought of making the end user THINK twice of what they're doing!

Also most automated silent and background installations can happen, transparently. IF you see a pop-up for admin credentials and you haven't invoked them manually yourself - then you know something VERY wrong is happening.

Also some apps ask for FAR too much access with no defining reason other than 'it needs to' case in Point Logi Options+ Beta.

 

[unobtainium]

The app asks the user for permission in a sneaky way, calling itself "MacOS" (note the capital "M" instead of lowercase "m"). Once granted permission, yes, it can read anything — because the user gave it that access.

It’s a good thing scammers and hackers usually have terrible spelling and grammar. You can usually identify scam emails instantly by branding mistakes like this or other spelling errors.

 

[redheeler]

The fake password prompt is an old but still clever trick. Probably the easiest way to "hack" someone's computer. Though the one in the screenshot isn't super convincing.

 

[Choco Taco]

No.

The dumb thing is to think like this for macOS. ANY user account used as a primary that is ALSO an admin account is not a smart move - not on ANY OS. Clickity-click installs doesn't prompt nor make you THINK twice about installations if your account being used IS the admin account and your primary and ONLY account on the OS.

Sure some applets don't require admin access ... but maybe that's something that SHOULD change, period.

If you're uncomfortable using an admin account as a main account, then more power to you for going that way. But seeing as I haven't had an issue in 30 years on Mac or Windows, I think I'll be okay.

I find it kind of amusing how I see the parroting of the “oh just be cautious of what you download, you don’t need to use the App Store”. Not all that long ago, I remember there was a fiasco where bad actors re-laced the legit .DMG for Transmission with a version that had malware baked into it. So even with the right amount of due dilligence, an average user a get nailed (of course the tech kings on this site are too smart to ever get played).

Transmission hijacked again to spread malware | Malwarebytes Labs

In this article, we take a look at a couple important takeaways from 2 recent hacks on Transmission.

www.malwarebytes.com

Yes, some bad stuff was slipped into an app that is generally used to download things illegally from random locations. Kind of smart considering the people using that app aren't being particularly weary of what they're downloading. This happens very rarely. And like others have pointed out, there have been several instances of malicious software being available to download on the App Store. So it would seem, based on your logic, that we should probably just stop using the internet in general if we want to remain safe.

 

[twistedpixel8]

Next time macOS goes a bit loopy (literally) after an update and keeps asking you to re-enter your Apple ID password, you'd be justified in worrying that something like this is having a go at you.

Always enter your password wrong the first time. Then you will never get caught out.

 

[Unregistered 4U]

I find it interesting that the malware seller‘s name/profile was blurred out so as to protect his/her identity, and yet the malware seller makes money by illegally harvesting information from unsuspecting computer users.

So that the issue in the story can’t be “resolved” prior to the user getting their social media fame for the month. They’re not so much concerned about users being affected as they are being reposted all over the internet.

 

[justperry]

I am not falling into this

trap.
MacOs asking for System Preferences access...seriously....

And....

Setup/right click...you gotta be kidding...
Setup is never used in MacOs/OS X.

 

[marvin_h]

Would passkeys prevent this?

 

[TallManNY]

i got your point, and it's a fair one. malware apps always target people, who don't have a sound understanding of their computer. sadly, there are many out there, they're the majority.
there are two things that might help in such situations:
- actually reading what's written there and understanding (read: not blindly trusting) why it happens
- use touchID if you have access to it (or whatever biometric authentication will be available in the future with macOS)

Yep. Biometrics helps more on modern Macs than older ones. I recently upgraded from a 2018 mini to an M2 Pro mini. Did a clean install and obviously have had to install a lot of programs again. I've been pleasantly surprised how often I could give consent through double clicking my Apple Watch instead of putting in my password. But it didn't work like that on my 2018 mini.

But as for reading stuff, unless the attacker leaves some typos, reading fake stuff might not help you. On the other hand, since in most cases it seems English is not the attacker's first language, there are often typos and stuff that doesn't make sense.

 

[marvin_h]

I am not falling into this

View attachment 2197100

trap.
MacOs asking for System Preferences access...seriously....

And....

View attachment 2197103

Setup/right click...you gotta be kidding...
Setup is never used in MacOs/OS X.

Yeah except to the majority of people that don't understand how computers work, this might just one of the endless revisions to how their compute works, and not raise any red flags.

 

[felixuta]

Hi guys,
I think I just caught this bad boy on a Telegram group and entered my macOS password... A quick Virustotal check just confirmed it.

It just looked too authentic and I think I just felt too safe using a Mac. Having my whole iCloud Keychain being stolen creeps the **** out of me.

I'm running macOS Ventura 13.4.

What do you think, has it been patched?

If not, what do you recommend now? I don't even know whether the app is still running, I don't see anything suspicious in Activity Monitor.

Thankfully I don't have any crypto wallets stored on my device and all my bank accounts require two factor authentification, but it's creepy enough as it is.