New Malware Mac.c Challenges AMOS in macOS Infostealer Market

The cybersecurity landscape is witnessing the emergence of a new infostealer known as Mac.c, which is directly challenging the established leader, AMOS (Atomic macOS Stealer). According to a report by Moonlock, the cybersecurity division of MacPaw, Mac.c has gained traction in the underground malware ecosystem within just four months of its launch.

While AMOS has become notorious for targeting macOS systems, Mac.c’s rapid rise suggests a shift in the dynamics of the macOS infostealer market. The developer behind Mac.c, who operates under the alias mentalpositive, has adopted an unusually transparent approach, sharing updates and soliciting feedback from users, a rarity in the clandestine world of malware development.

Mac.c’s Technical Advancements

From a technical standpoint, Mac.c exhibits notable similarities to AMOS and another infostealer, Rodrigo4, but has been optimized for efficiency. By reducing the size of its binary, Mac.c downloads faster and leaves fewer traces, complicating detection efforts. The developer has also been actively expanding its command-and-control infrastructure, suggesting a broader operational strategy.

Moonlock’s analysis indicates that this level of visibility may be part of a strategy to establish a distinct market presence. The developer has introduced a web-based interface for clients, enabling them to generate customized builds, monitor infection statistics, and manage their campaigns. These features enhance the usability of the infostealer, making it an attractive option for potential buyers.

The most recent updates shared by mentalpositive include capabilities for bypassing XProtect, an expanded list of supported browsers, and a dedicated module for phishing Trezor seed phrases. Such advancements indicate a deliberate effort to enhance the malware’s functionality and effectiveness.

Growing Threat Landscape for macOS Users

The macOS malware market, while historically less active than its Windows counterpart, is evolving rapidly. Recent data from Canalys shows that Apple’s share of the overall computer market has reached approximately 17.1%, with Mac shipments growing 25.9% year-on-year during the final quarter of the previous year. This surge in popularity has made macOS systems more appealing targets for cybercriminals.

Infostealers, in particular, have seen a significant increase in prevalence, surpassing adware as the most common form of malware affecting macOS. According to Jamf, infostealers now account for 28.36% of all detected Mac malware. The accessibility of these tools and the low barrier to entry for cybercriminals are significant factors in their rise. Many developers, including mentalpositive, are leveraging a Malware-as-a-Service model, allowing less technically skilled affiliates to deploy complex attacks with ease.

The shift in the macOS malware landscape poses challenges for both personal and enterprise users, as malware developers continue to refine their techniques. Despite Apple’s efforts to strengthen security measures like Gatekeeper and XProtect, users still face risks from sophisticated infostealers.

Protecting macOS Devices

To mitigate the risks associated with infostealers, users should adhere to several best practices. These include being cautious when installing applications outside the official Mac App Store, verifying links before clicking, and utilizing strong passwords alongside two-factor authentication. Keeping devices and applications updated is also crucial for maintaining security.

As the macOS threat landscape continues to evolve, awareness and proactive measures are essential in safeguarding sensitive information from emerging threats like Mac.c. For more in-depth analysis, Moonlock’s complete breakdown of Mac.c is available on HackerNoon.