{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/vm-detection/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["AMOS Stealer"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS"],"_cs_severities":["high"],"_cs_tags":["amos-stealer","hellcat-ransomware","macos","vm-detection"],"_cs_type":"threat","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eAMOS Stealer is a malware strain targeting macOS systems with the goal of stealing sensitive information. This malware employs various techniques to evade detection, including checking if the infected system is running within a virtual machine. This is likely done to hinder analysis and prevent execution in sandboxed environments. The observed behavior leverages \u003ccode\u003eosascript\u003c/code\u003e to execute AppleScript commands that utilize \u003ccode\u003esystem_profiler\u003c/code\u003e to identify virtualized environments like VMware or QEMU. The activity is typically seen after initial infection, when the stealer probes the environment. Successful execution suggests the system is not a VM and is a viable target for data exfiltration and further malicious actions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: User unknowingly downloads and executes a malicious application or script containing the AMOS Stealer payload.\u003c/li\u003e\n\u003cli\u003ePersistence: AMOS Stealer establishes persistence on the macOS system, ensuring it runs automatically on startup (details of how this is achieved are not in the provided document).\u003c/li\u003e\n\u003cli\u003eVM Check: The malware executes \u003ccode\u003eosascript\u003c/code\u003e with a crafted AppleScript command to run \u003ccode\u003esystem_profiler\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnvironment Enumeration: \u003ccode\u003esystem_profiler\u003c/code\u003e gathers system information, specifically looking for virtualization platforms (VMware, QEMU).\u003c/li\u003e\n\u003cli\u003eResult Analysis: The output of \u003ccode\u003esystem_profiler\u003c/code\u003e is analyzed to determine if the system is running in a VM.\u003c/li\u003e\n\u003cli\u003eData Theft: If the system is not a VM, AMOS Stealer proceeds to collect sensitive data such as browser credentials, crypto wallets, and other user data (specific paths and files are not in the source).\u003c/li\u003e\n\u003cli\u003eC2 Communication: The stolen data is exfiltrated to a command-and-control server controlled by the attacker (specific details are not in the provided document).\u003c/li\u003e\n\u003cli\u003ePotential Ransomware Deployment: In some cases, AMOS Stealer infections can lead to the deployment of ransomware such as Hellcat.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful AMOS Stealer infection can lead to significant data loss, including sensitive credentials and financial information. If Hellcat ransomware is deployed, it can encrypt critical files, disrupting business operations and potentially resulting in financial losses. While specific victim counts and sectors are unavailable from the given source, macOS users are at risk, specifically those handling cryptocurrency or sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Osquery and monitor process execution for \u003ccode\u003eosascript\u003c/code\u003e with command-line arguments containing \u003ccode\u003esystem_profiler\u003c/code\u003e, \u003ccode\u003eVMware\u003c/code\u003e, and \u003ccode\u003eQEMU\u003c/code\u003e as covered in the overview, and described in the references.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect AMOS Stealer VM Check Activity\u0026quot; to your SIEM and tune for your environment to detect the specific \u003ccode\u003eosascript\u003c/code\u003e activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any endpoint triggering the \u0026quot;Detect AMOS Stealer VM Check Activity\u0026quot; rule, looking for associated persistence mechanisms or data exfiltration attempts.\u003c/li\u003e\n\u003cli\u003eConsider implementing application control to restrict the execution of unauthorized applications, reducing the risk of initial infection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T16:25:00Z","date_published":"2024-01-09T16:25:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-amos-stealer-vm-check/","summary":"This brief describes detection of AMOS Stealer checking for virtual machine environments on macOS via osascript and system_profiler, potentially leading to information theft and further malicious activity.","title":"AMOS Stealer macOS VM Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-09-amos-stealer-vm-check/"}],"language":"en","title":"CraftedSignal Threat Feed - Vm-Detection","version":"https://jsonfeed.org/version/1.1"}