Fully undetected Shell Script dropping macOS Atomic Stealer
Fully undetected Shell Script dropping macOS Atomic Stealer
04 February 2025
VMRay Labs found a DMG file containing a malicious Shell Script used to download and execute Atomic Stealer remained fully undetected on VirusTotal for two days.
The Shell Script applies basic obfuscation via encoding and shows strong indicators to be AI generated due to its comments, proper error handling, and logging.
While the stealer capability is mainly written in AppleScript, the loader component is shipped as a universal Mach-O binary, targeting both, x86- and ARM-based systems.
0 / 60 detections on VirusTotal
on February 3rd 2025
In a nutshell:
- No detections on VT for two days (6/60 detections as of today)
- DMG file that uses a likely AI generated Shell Script as entry point
- Shell Script drops a Mach-O universal binary for x86 and ARM architecture
- Executable decodes Atomic Stealer’s AppleScript (osascript) with a custom base64 alphabet
- Sandbox evasion via checking known usernames: maria, run, jackiemac, bruno
- User’s password is collected via AppleScript by simply asking the user for it
- DMG → Shell Script → Mach-O Binary → AppleScript → Atomic Stealer
Dive deeper into the report
Sample SHA256:
8f850c8a9e1c24f6bf1fead7f19fe472d8f57871e02aef9da94366474b9f47ef
See why we think this is malicious in plain language.
See the whole path of the sample’s execution
Map the malicious activities on the MITRE ATT&CK Framework
Explore detailed information on the IP addresses, URLs and DNS, including function logs and PCAP Streams
Download the IOCs and artifacts to have a clear picture of the threat.
Download the files that the malware downloads, drops or modifies.
Explore how you can use these insights
目录
最新
- Release Highlights: VMRay Platform 2025.1.0
- January 2025 Detection Highlights: Entrypoint Injection, Hotlinking, and a Robust New Set of Smart Link Detonation Rules
- Fully undetected Shell Script dropping macOS Atomic Stealer
- From analysis to action: Enhancing government threat models with malware insights
- Heavily obfuscated batch file loads XWorm hosted on GitHub
- December 2024 Detection Highlights: Detecting DLL hollowing and phishing using SVGs, and an expanded set of new YARA rules
- Unveiling the Power of Threat Intelligence Platforms
- Backdoored configuration script waits until user is inactive (!) to run Linux malware