Analytics Story: AMOS Stealer
Description
The AMOS Stealer analytic story provides detection and investigation content for identifying and responding to threats associated with the AMOS information stealer on Mac systems. AMOS (Atomic macOS Stealer) is a known malware family designed specifically for MacOS, capable of stealing credentials, system information, and browser data. This story leverages analytics using osquery data to detect suspicious behavior consistent with AMOS, including VM detection commands used to evade analysis environments. Security teams can use the searches in this story to identify and respond to signs of AMOS compromise in their MacOS fleet.
Why it matters
AMOS Stealer (Atomic macOS Stealer) is an active threat targeting macOS users, capable of harvesting sensitive data, executing scripts, and conducting system reconnaissance to evade detection. It is typically distributed through malicious downloads or phishing campaigns. Once executed, AMOS performs a variety of checks to determine whether it is running in a virtualized environment before proceeding with its payload. One notable technique involves using osascript with AppleScript commands to enumerate virtualization indicators like VMware and QEMU. This analytic story focuses on detecting these early-stage behaviors using osquery data. Detecting AMOS behavior early in its execution phase gives defenders the opportunity to isolate affected hosts, investigate lateral movement or privilege escalation attempts, and mitigate data exfiltration risk.
Detections
| Name | Technique | Type |
|---|---|---|
| MacOS AMOS Stealer - Virtual Machine Check Activity | AppleScript | Anomaly |
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| osquery | N/A | osquery:results |
osquery |
References
Source: GitHub | Version: 1