A sophisticated new variant of the AMOS macOS stealer has emerged, demonstrating unprecedented levels of technical sophistication in its distribution and obfuscation methods.The malware leverages GitHub repositories as distribution platforms, exploiting the platform’s legitimacy to bypass security measures and target unsuspecting macOS users with cryptocurrency theft capabilities.The latest campaign involves a multi-layered attack chain that begins with malicious DMG files hosted on GitHub repositories, specifically targeting users seeking legitimate applications.The [malware](https://cybersecuritynews.com/chatgpt-powered-malware-analysis/) employs advanced obfuscation techniques including multiple layers of base64 encoding, XOR encryption, and custom alphabets to evade detection by traditional security solutions.Once executed, the stealer deploys both x64 and ARM64 versions to ensure compatibility across different Mac architectures.Jason Reaves, a malware researcher, Crimeware Threat Intel, Reverse Engineer at Walmart, [identified](https://medium.com/walmartglobaltech/amos-hiding-in-github-199eabea6605) this sophisticated campaign while tracking recent AMOS activities.His analysis revealed that the malware sample `9f8c5612c6bfe7ab528190294a9d5eca9e7dec3a7131463477ae103aeec5703b` represents a significant evolution in the threat’s capabilities, incorporating advanced evasion techniques previously unseen in macOS malware campaigns.The attack vector primarily focuses on cryptocurrency wallet users, with the malware masquerading as legitimate applications such as Ledger Live to steal seed phrases and private keys.The campaign demonstrates remarkable persistence, with threat actors quickly establishing new repositories when previous ones are taken down by GitHub’s security teams. .webp) Instructions for installation (Source — Medium)This cat-and-mouse dynamic highlights the challenges faced by platform providers in combating sophisticated threat actors who abuse legitimate services for malicious purposes.**Advanced Obfuscation and Decoding Mechanisms**————————————————The technical sophistication of this AMOS variant lies in its multi-stage [obfuscation](https://cybersecuritynews.com/malware-obfuscation/) process that involves three distinct decoding layers.The initial payload contains an obfuscated shell script that undergoes base64 decoding followed by XOR operations using hardcoded keys.The deobfuscation process reveals an AppleScript component that searches for mounted volumes containing ‘touchlock’ before executing the primary payload. .webp) Touchlock repo (Source — Medium)The core decoding [algorithm](https://cybersecuritynews.com/windows-xp-activation-algorithm/) implements a sophisticated three-block system where equal-sized data blocks undergo mathematical operations.The algorithm processes every double-word (dword) through subtraction and XOR operations, as demonstrated in the extraction code: `a = (a – d) & 0xffffffff; a ^= c`.This mathematical approach generates a custom base64 alphabet `xtk1IbLCo9pQgDwBKNl_Pa*Z-J40zOiEr&5n8s=R!dAG%$ [**Request full access**](https://intelligence.any.run/plans?utm_source=csn_jun&utm_medium=article&utm_campaign=free-vs-paid-ti-feeds&utm_content=plans&utm_term=100625)**The post [AMOS macOS Stealer Hides in GitHub With Advanced Sophistication Methods](https://cybersecuritynews.com/amos-macos-stealer-hides-in-github/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
NAICS: 334 – Computer And Electronic Product Manufacturing
NAICS: 52 – Finance And Insurance
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 33 – Manufacturing – Metal
Electronics And Other
NAICS: 523 – Securities
Commodity Contracts
Other Financial Investments And Related Activities
NAICS: 51 – Information
Blog: Cybersecurity News
Phishing: Spearphishing Attachment
Phishing
Associated Indicators:
85.192.49.118
heathlypet.com
45.94.47.136
isnimitz.com