Just when you thought your Mac was safe, an updated version of a popular Mac malware strain is making the rounds online which can leave a backdoor on your computer that hackers can use as they please.
As reported by BleepingComputer, the Atomic Stealer malware was first discovered back in 2023. Since then though, it’s been constantly upgraded with new capabilities that allow it to target the best MacBooks and other Apple computers in an effort to steal keychain passwords, local files, passwords, browser cookies, stored credit card data and of course, cryptocurrency.
Now though, the Moonlock cybersecurity division of the software provider MacPaw has observed a new Atomic Stealer version that can create a backdoor on infected Macs, leaving them vulnerable to additional and more devastating attacks.
Here’s everything you need to know about this upgraded Mac malware along with some tips and tricks on how you can keep your Mac safe from hackers and virus-free.
From hidden file to backdoor
Atomic Stealer is actually a malware-as-a-service offering which means that other cybercriminals pay its creator a monthly subscription fee of $1,000 to $3,000 in order to use the malware in their own attacks.
Thanks to a tip from the independent security researcher g0njxa on X, MacPaw’s cybersecurity division was able to get their hands on a new Atomic Stealer sample that includes this updated backdoor functionality. After analyzing the sample, Moonlock found that it contains an embedded backdoor that’s able to remain on an infected Mac even after the device has been rebooted.
The executable that makes this backdoor possible is a binary file named ‘.helper’ which is downloaded and saved in a victim’s home directory after their Mac is infected with the Atomic Stealer malware. In a blog post discussing their findings, Moonlock’s security researchers explain that this binary file is hidden after an infection to make it harder to detect.
The malware’s creators are using a persistent wrapper script named ‘.agent’ which is also hidden to run ‘.helper’ in a loop as the logged-in user. Meanwhile, a LaunchDaemon (com.finder.helper) installed via AppleScript is used to ensure that this ‘.agent’ wrapper script runs every time an infected Mac is powered on.
By using a victim’s stolen password, this action is executed with elevated privileges which allows this new backdoor to be used by hackers to do things like execute commands remotely, log key strokes, introduce additional payloads or even to move laterally across a network to target other devices connected to it.
A malware infection is bad enough as it is but one that creates a backdoor into your computer is the last thing you want to deal with. This is because persistent malware is much harder to remove.
How to stay safe from Mac malware
In their blog post, Moonlock’s security researchers also explain that this new version of the Atomic Stealer malware is currently being distributed through two main avenues: cracked or pirated software and spear phishing campaigns targeting high-value users.
As such, to avoid being infected with the Atomic Stealer malware, you shouldn’t download any cracked or pirated software. Besides being illegal, downloading pirated software puts you at risk from malware since there’s no telling whether or not there may be malicious code inside. This is why you want to stick to official app stores like the Mac App Store or download software (you’ve paid for) directly from a reputable company.
When it comes to spear phishing, the less information that’s available about you online, the better. Let’s say you have a lot of cryptocurrency stored in your crypto wallet. Well just like with money in the bank, you want to keep that info to yourself instead of advertising it online via social media.
Once the hackers using Atomic Stealer have a high-profile individual in their sights, they often use fake job interviews as a means to get close to potential victims. From there, they coerce them into handing over their system password by having them enter it to enable screen sharing. This is a huge red flag since screen sharing is built into most video conferencing software and even then, you’d never have to type in your password to get it to work, especially if you aren’t the one hosting the video call.
As for staying safe from malware and other viruses, your Mac does come with built-in security software in the form of XProtect. However, given the sheer number of threats and online scams these days, it’s worth investing in one of the best Mac antivirus software solutions to run alongside it for even stronger protection.
Given how successful the Atomic Stealer malware has proven to be for hackers over the past few years, I don’t see this threat going away anytime soon. This is why you need to improve your own cyber hygiene and stay up to date on the latest threats. That way, you’ll be far less likely to fall for the tricks hackers use to gain initial access to you and your devices.
More from Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
