To completely understand what’s going on in a market that has been growing in the last years I found mandatory to know which players are dominating it. Always remember that behind every user of the Internet there is another human like you, so if you can be kind enough to reach them and they agree, you can have a little talk. Asking things is not a crime.
Please note everything that stated on this blog has only an informational purpose. I will never promote the usage of these products.
Let’s see, Atomic Mac Os Stealer aka AMOS, a brief talk with Ping3r:
The interview was made in English. Original text is provided below.
You can find more information about Atomic Stealer on forum announcements, also
https://telegra.ph/Atomic-Stealer---Obzor-loga-06-27 or in Telegram https://t.me/amos_macos , for example.
A(tomic) M(ac) O(S) S(tealer) = AMOS, that should be clear.
Ping3r talks about the Atomic crypto wallet (atomicwallet.io) that has no relation with AMOS. Fun fact, Atomic stealer steals Atomic wallet.
Later, we both will discuss about the origin of AMOS and Mac OS infostealers.
The first announcements seen on forums go around March 2023, of course, these announcements were modified in the next few months when the malware project was fully functional.
AMOS is a very comfy tool for traffers teams in order to bring Mac OS logs to the team, especially focusing on cryptocurrency heists on infected machines. This is, of course, based on my long time observation:
What I have never seen (or at least I don’t remember it ) AMOS being used in “logs clouds”. Another common usage of infostealers is to bring as much logs (information stolen from victims machines) as they can to a common source, to be sold in bulk. Lots of “log clouds” are filled every day with thousands of Windows logs, but I have no information of available Mac OS logs in these “clouds”, although AMOS builds can be found in the wild the same way as Windows stealers builds are spread over the internet.
The major objective of these traffer team guys using AMOS is to steal cryptocurrencies from infected machines.
The second project that Ping3r refers to is the coockie.pro forum that I will discuss later.
I personally asked Lumma about Ping3r, and indeed they know each other and have a good relationship. Lumma is often advertised on coockie.pro forum and channels.
Is ChatGPT the real threat actor behind the first ever MacOS stealer?
Whatever malware code that guy wrote at first using AI or not, was the core of one (and unique) new family of infostealers that works on Mac OS environments, and thanks to the help of a team of 4 coders under the guidance of Ping3r, AMOS was born.
Ping3r also refers to Rodrigo, the owner of Poseidon Stealer (who was interviewed before — https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-poseidon-a0e8880af071) and who now put on sale the project:
If the information is accurate, Rodrigo is one of the four coders who made AMOS possible to exist, and Poseidon Stealer is just a copy of that first Mac OS infostealer poor code who someone wrote down. That would explain a lot of things… In fact, both malwares are very similar!
Lumma 🤝 AMOS , big boys on each field with similar projects.
If there is no other products, the price is up to you and how much are you willing to pay. At the time of writing this article, AMOS is set to a price of $3000/month, a high price compared, as an example, to Lumma, with a price of $250/month in the lowest subscription tier available.
Some infamous forums (XSS, Exploit, RAMP) doesn’t allow the promotion of products that can infect CIS-countries victims. Some infostealers like Rhadamanthys or Meduza have already been banned from these forums for the reasons stated before, and AMOS also was one of these infostealers that were *almost* banned from forums.
It is important to say that the first accusation of AMOS working in the CIS was made by Rodrigo, owner of Poseidon Stealer, saying this:
Ping3r accused Rodrigo to blackmail him in order to get rid of AMOS on the market, stating that Rodrigo was doing a defamation.
Seems like after some arbitration on the forums, everything was cleared by Ping3r asap and now Atomic Stealer is another CIS-free infostealer.
Remember that at the time of writing this article, AMOS is still operating and Poseidon (from Rodrigo) is on sale willing to disappear.
AMOS has already had its first birthday, silly me. But I’m sure it will be at least a second birthday with AMOS still operating, but like Vidar, it seems that Ping3r doesn’t matter special dates, just providing what clients need.
As said, some of the new features are / will be “extraction of mnemonic seeds” from Trezor and Ledger. No idea how this work.
The AMOS knock registers that can be found on Telegram have the coockie.pro signature. A real example:
As Ping3r says, coockie.pro is a closed and private forum focused on stealers, that is operational since 2018 and run by Ping3r.
If you are involved in the infostealers research, I’m sure you have heard about Coockie!
The forum community is quite big, it has around ~2600 users registered:
In this russian-based forum, almost all notorious malware project are advertised, also with other products and services that involves infostealers, from spreading builds over the Internet to log info processments.
Atomic Stealer (and the actual Mac OS infostealers family) was born in the Coockie Forum, by the hands of Ping3r.
AMOS is actively tracked and lots of reports and analysis were made, in fact, it has become a persistent threat for Mac OS users. Infostealers are really a trend in the last years and I believe there will be no short-time ceasing, so we need to keep tracking and learning, with the same amount of respect each one has to each other. Let’s make the Internet a safer place :) Thank you Ping3r ❤
Extra
Remember to check the other interviews at: g0njxa — Medium
Expect more content, if possible
Best regards. :p