The Atomic Stealer malware still relies on users installing fake software with a payload hidden in the .dmg file, but it is evolving to get harder to detect.
Atomic Stealer infects macOS via illegitimate software
Atomic Stealer hides in illegitimate software downloads, gets into macOS through user error, and stays hidden using scripts while it steals sensitive data. It's a relatively new malware identified in 2023, but now it is evolving to be harder to detect.
According to Bitdefender, a new variant of Atomic Stealer is showing up in its routine verifications for discovering malware in the wild. It seems this version hasn't been widely reported since it is found in surprisingly small files of about 1.3 MB.
The new variant uses a Python script and Apple Script to carry out its actions for collecting user data while staying hidden. It is installed when a user downloads illegitimate software and installs it while bypassing the built-in digital signature check.
The Apple Script function looks similar to a previously documented malware called RustDoor. Both versions of Apple Script focus on collecting sensitive files.
Atomic Stealer targets files associated with installed crypto-wallet extensions and applications, browser data, system info, and passwords. The first prompt the malware presents to the user is a fake dialog box asking for the macOS system password.
How to avoid Atomic Stealer
The new variant of Atomic Stealer is still installed on macOS the same way as the previous ones. Either the user is deliberately seeking free versions of paid applications or was inadvertently directed to a fake app website -- the result is the same.
The user downloads the illegitimate application, attempts to install it, is presented with instructions on bypassing macOS Gatekeeper and signature checks, and then installs. The fix is simple -- only install apps from the App Store or trusted sources, and don't listen to an app installer that asks you to bypass protections.