A SOC Team’s Guide to Detecting macOS Atomic Stealers

Sept. 13, 2024, 9:26 a.m.

Description

This article provides an analysis of the Atomic Infostealer malware family, which has been targeting macOS users throughout 2024. It discusses the various evolving variants, such as Amos, Banshee, Cthulu, Poseidon, and RodrigoStealer, developed and distributed by competing threat actor groups. The malware's distribution methods have expanded to spoof enterprise applications, making it more concerning. The article examines the characteristics, obfuscation techniques, and behaviors of different variants to aid in detection and triage.

External References

https://www.sentinelone.com/blog/from-amos-to-poseidon-a-soc-teams-guide-to-detecting-macos-atomic-stealers-2024/
https://otx.alienvault.com/pulse/66e3feec5ce36f7f2deae9c4
Tags
malware
obfuscation
infostealer
macos
crimeware
poseidon
2024-09-13
rodrigostealer
cthulu
amos atomic
banshee

Date

  • Created: Sept. 13, 2024, 8:59 a.m.
  • Published: Sept. 13, 2024, 8:59 a.m.
  • Modified: Sept. 13, 2024, 9:26 a.m.

Indicators

  • 41.216.183.214
  • 89.208.103.185
  • 45.142.122.92
Download all indicators here!

Attack Patterns

  • RodrigoStealer
  • Cthulu
  • Amos Atomic
  • Banshee
  • Poseidon
  • Ping3r and Rodrigo
  • T1215
  • T1600
  • T1076
  • T1548
  • T1114
  • T1555
  • T1564
  • T1547
  • T1518
  • T1105
  • T1496
  • T1083
  • T1055
  • T1036
  • T1592
  • T1204
  • T1027
  • T1553
  • T1195
  • T1059