<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Amos-Stealer - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/amos-stealer/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 16:25:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/amos-stealer/feed.xml" rel="self" type="application/rss+xml"/><item><title>AMOS Stealer macOS VM Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-amos-stealer-vm-check/</link><pubDate>Tue, 09 Jan 2024 16:25:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-amos-stealer-vm-check/</guid><description>This brief describes detection of AMOS Stealer checking for virtual machine environments on macOS via osascript and system_profiler, potentially leading to information theft and further malicious activity.</description><content:encoded><![CDATA[<p>AMOS Stealer is a malware strain targeting macOS systems with the goal of stealing sensitive information. This malware employs various techniques to evade detection, including checking if the infected system is running within a virtual machine. This is likely done to hinder analysis and prevent execution in sandboxed environments. The observed behavior leverages <code>osascript</code> to execute AppleScript commands that utilize <code>system_profiler</code> to identify virtualized environments like VMware or QEMU. The activity is typically seen after initial infection, when the stealer probes the environment. Successful execution suggests the system is not a VM and is a viable target for data exfiltration and further malicious actions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: User unknowingly downloads and executes a malicious application or script containing the AMOS Stealer payload.</li>
<li>Persistence: AMOS Stealer establishes persistence on the macOS system, ensuring it runs automatically on startup (details of how this is achieved are not in the provided document).</li>
<li>VM Check: The malware executes <code>osascript</code> with a crafted AppleScript command to run <code>system_profiler</code>.</li>
<li>Environment Enumeration: <code>system_profiler</code> gathers system information, specifically looking for virtualization platforms (VMware, QEMU).</li>
<li>Result Analysis: The output of <code>system_profiler</code> is analyzed to determine if the system is running in a VM.</li>
<li>Data Theft: If the system is not a VM, AMOS Stealer proceeds to collect sensitive data such as browser credentials, crypto wallets, and other user data (specific paths and files are not in the source).</li>
<li>C2 Communication: The stolen data is exfiltrated to a command-and-control server controlled by the attacker (specific details are not in the provided document).</li>
<li>Potential Ransomware Deployment: In some cases, AMOS Stealer infections can lead to the deployment of ransomware such as Hellcat.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful AMOS Stealer infection can lead to significant data loss, including sensitive credentials and financial information. If Hellcat ransomware is deployed, it can encrypt critical files, disrupting business operations and potentially resulting in financial losses. While specific victim counts and sectors are unavailable from the given source, macOS users are at risk, specifically those handling cryptocurrency or sensitive data.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Osquery and monitor process execution for <code>osascript</code> with command-line arguments containing <code>system_profiler</code>, <code>VMware</code>, and <code>QEMU</code> as covered in the overview, and described in the references.</li>
<li>Deploy the Sigma rule &quot;Detect AMOS Stealer VM Check Activity&quot; to your SIEM and tune for your environment to detect the specific <code>osascript</code> activity.</li>
<li>Investigate any endpoint triggering the &quot;Detect AMOS Stealer VM Check Activity&quot; rule, looking for associated persistence mechanisms or data exfiltration attempts.</li>
<li>Consider implementing application control to restrict the execution of unauthorized applications, reducing the risk of initial infection.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>amos-stealer</category><category>hellcat-ransomware</category><category>macos</category><category>vm-detection</category></item></channel></rss>