A Peek Under the Hood of the Atomic Stealer Infrastructure
Atomic Stealer, also known as “AMOS,” has been wreaking havoc among Mac users yet again. This time, however, instead of taking the guise of fake applications, it now comes disguised as rogue browser updates. Worse? Its operators have compromised several sites to widen their distribution base.1
Security researchers published seven Atomic Stealer indicators of compromise (IoCs) comprising six domains and one IP address. The WhoisXML API research team expanded this list to uncover unreported potentially connected artifacts aided by comprehensive DNS intelligence.
Our DNS deep dive into Atomic Stealer led to the discovery of:
- 31 domains that contained some email addresses found in the historical WHOIS records of the domains identified as IoCs
- Seven IP addresses to which the domains identified as IoCs resolved
- 12 domains and 14 subdomains that contained text strings found among the domains identified as IoCs
Download a sample of the threat research materials now or contact us to access the complete set of research materials.
-  https://www.malwarebytes.com/blog/threat-intelligence/2023/11/atomic-stealer-distributed-to-mac-users-via-fake-browser-updates