Malware

99 reasons you need Mac antivirus: a plethora of stealer malware

Posted on by

People often ask whether Macs really need antivirus software. If you browse Apple forums, you’ll inevitably find people who claim you don’t need malware protection. We’ve debunked Mac malware myths in the past, and we’ve written literally hundreds of articles about malware that infects Apple devices.

But if you needed any additional convincing, Intego’s team of malware analysts recently discovered more than 99 unique new samples of stealer malware. This suggests that Mac malware is not so rare; rather, threat actors are pumping out numerous samples, trying to evade detection in wide-reaching campaigns.

Here’s everything you need to know to stay safe from the latest Mac malware threats.

Base64-encoded shell scripts

Intego’s malware analysis team recently encountered 99 unique samples of Base64-encoded shell scripts. The contents of these files look similar to the following (shortened to fit better):

/bin/bash
bFJfVXss='IyEvYmluL2Jhc2gKb3Nhc2NyaXB0IC1lICdv[…]'
IKBIKmYz='dXBWb2x1bWUgaXMgIiIgdGhlbgogICAgICAg[…]'
dtIUkpzw='CAgIHNldCBleGVjdXRhYmxlTmFtZSB0byA[…]=='
encoded_script="${bFJfVXss}${IKBIKmYz}${dtIUkpzw}"
bash -c "$(echo "$encoded_script"
base64 -D)"

If that looks like incomprehensible gobbledygook, that’s exactly the point. This malware uses a common technique called obfuscation to obscure or hide what it really does. Specifically, the script incorporates three Base64-encoded strings, mashes them together, decodes them, and runs the decoded output as a command.

So what does the decoded output look like? It’s another bash script, containing AppleScript code with embedded shell scripts. This code repeatedly checks for the presence of a mounted volume named Installer. If it finds a volume with that name, it attempts to copy an executable file (app), also named Installer, to the hidden /tmp folder on your Mac.

Next, it tries to run these three commands:

do shell script "xattr -c " & quoted form of tmpExecutablePath
[…]
do shell script "chmod +x " & quoted form of tmpExecutablePath
[…]
do shell script quoted form of tmpExecutablePath

The command xattr -c removes all extended attributes from a file; in this case, the intent is to ensure the file doesn’t have the com.apple.quarantine attribute that could prevent it from running. Next, chmod +x makes the file executable, i.e. runnable as an application from the command line. Finally, the script runs the malicious /tmp/Installer application.

“Installer”? Nope; it’s stealer malware

And what about these fake “Installer” applications that the script looks for, copies, and runs?

They’re actually stealer malware, designed to gather and exfiltrate cryptocurrency wallets, browser cookies, Microsoft Word documents, and more.

As we’ve mentioned in previous articles, cookies can give attackers access to accounts your browsers are logged into—bypassing your password and any two-factor authentication methods.

Interestingly, these stealers even target relatively obscure browsers that we’ve mentioned before: Pale Moon and Waterfox, which are forks (derivatives) of Mozilla Firefox. Of course, they also target more common browsers, including Safari, Firefox, and Google Chrome. These stealers are also designed to extract data from several other Chromium-based browsers, such as Arc, Brave, Microsoft Edge, Opera, Opera GX, and Vivaldi.

How can I keep my Mac safe from stealer malware?

If you use Intego VirusBarrier, you’re already protected from this malware. Intego detects samples from this campaign as OSX/Amos.ext, OSX/Amos.gen, OSX/Amos.scptOSX/PSW.ext, Python/Stealer.gen, and virus/OSX/AVI.Agent.cpdf.

Intego X9 software boxesIntego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, is a powerful solution designed to protect against, detect, and eliminate Mac malware.

If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s latest Mac operating system, macOS Sequoia.

One of VirusBarrier’s unique features is that it can scan for malicious files on an iPhone, iPad, or iPod touch in user-accessible areas of the device. Just attach your iOS or iPadOS device to your Mac via a USB cable and open VirusBarrier.

If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from malware, too.

Indicators of compromise (IOCs)

Following are SHA-256 hashes of malware samples from this campaign:

05d0191859cb1f8d1351b1ec557a7b9dc669d9143b93c50a69ddfdafc6abb030
07acd31fccd8ac0d305913f0c35b226700d5cc641f012aadde26a6ccb6358b33
0e04423fc0ad2de4ce31d454b4bd89d5744cf8fbb5e1546ba06b8ba387d6eb5f
0f7e3138899df8304c2da1b3a5ce18f721247e943f9f9ee17df375a07403b844
13b564fd0913f98d78d0fdef5f1e9b6de0bd480bd708ab97b150511e6168180c
1491e2a46bc2fe5f1072652bb828d7d286d258e9d46bf5ca3ca97d6ef8f24f80
184073c67cbd557cac9ccc17e60c2061965e90f776d219afc9638b16e0a96115
18525523466ca2f612b403f6f2cb9ed2ae24a8558fcf38e3a2589b0c489ff0bd
1998a4ec680c551fe9635b21bbd687f843984020b936fc3e99dd83bf7bf03100
1b6ac1be6b3f6ebeafe40e2fab4e6383ba90f988e2570833cabac00eae167087
1c636552377f72f010c192ca94b036f7ed31fe96180e427a247a7785f5af1b47
2231bc2928bef007b52ed6b1d8409285a6455f159a60d2f60f7ef1068ebe9bc5
232646f8322aa0b84f463d7a0df20c1ed4c8bc8b06bd885df06e3f5a430aebd8
245ca71a4f2c4e7754ddeb37cbb4132769035e0d87f01865e525faffaa4cb5b6
2557f8f927aa6c9e1cc1226793776bdb2529cc69a0b4d9d8222581fa570ffc15
2574dada45cef789a4987a92bd45f8dbfdadd68951a6b9229772138be9b248f8
25e8f9885d4c8d5ae505671f10ce51717f37e18be27494f5e3d7ba73a1b575ab
27556f569018e8b933aaf360c6b9df3da56a0dd63946c66810309692043a39c3
2a2e815fc4898fb1e6c25240e55355f8454191f1049f7d1222c4c41a66582d6a
3231ab1a51a2241f1ba995bb0abb53f633cd69eee0a30936edf1bac8fe304d3c
32cd47bce63122b7437cba4e4ef80f9782b3db2ca745c2eaa63059a815d9a122
3e55d3c06b5c182cbd2c652abe3f42b02b1fe20cf9d98cf254ba50db86d18cfd
3fcdb4e0e6fbc95a784f102ca1df2985e2bb6593a095695815ece654a5a6d871
40c2cb04c62079e4a922a87c3da93a5dad3ca1b1af60528e02aed8cbaa103eea
443e64c2d907f2d8e538381563318fc0044414577e6e3f756b0e17dc8c92438f
4d1663bdce1b5b933ed46cbcab5525cc3678ec0fea2fe5c804304a29313965b3
4d173201eb8fce4ef09d7136ce13b51a30353dc20de1d19d247e1b0a3c498f5a
4e9a17c8d6a767763a3cdd0916d6f06cc1c8f6efc3a127bafd58cbbecda205f9
52e03571d1849dadbe76eb726accdd1b57fea8353937391ea6fa2b6c5f5f5acb
53094b1c1cdf8dca3614f120920c490292b7c27ba1ae081e7c516f4a4193b03c
53300d49d53f151ddf4ae8f0c440baf473c5b34328cc78558e02006fa53f203f
54c1f2edf60778f188540017f90702e69073e3cacdbc57e42ccf0cbe8a1d1d1c
558ced01205a61cc50c2916ebd602780c20d0ca529eb0852ed1336040d38d328
58ed408137187dd4908f6ac5b3455577c92830d62ad03587cd128b552e284f81
5cab898dab1a62cf5ff22814be1b850b19de3d61287efb99b4b1509ce68232cc
5d807cca33f30f188b7243b85015da74a03be0cf7a8b4d2c2f292d5a932e9dec
5f944788b4b0bf4ead295ce15bb3d07cb4118a8f1b1b86e1e6677efbab2cb0bf
6124b4be45e5538814f155d1783a3ec10f77a4cfa208a151888969ce5b5967a4
615235a5ec577ccc3eee2786f6600b1822dfb7bb3d2331029a28f9382734f8ff
662d53dda59bbffca9b51ca7a66f57e20dafb144754aaa6324ab90ce8867e481
667be64cb8e04f88f85a790cb50a6f13254467ed427dc0aaaf1a0198c5fb4537
671ea06a6c2666cfca6ea6378bf3288b3f6ba3d115311bbee3d6f5e455ef4626
690996789726b4a528c1efec030032e479284d950961e623e5cba68bb72d33d9
726d057e9dc97ca9ee876d10a3a76bba21359c922bc39a08887a6a8222ae8f09
7c87ad713186ca53e9bceac16f05d2837195499c7a5f14fcbf12ec9eeb17ddbc
7da3cce80969ba7265dd31819fd93ffdd8e8170dd57e8e93a02b3b0c0dd89560
7f8bdbbb901d822beabf4d8baeaa0d5a58c7b2815618c656e6579a73056b6285
835c9425a4602fee6d81f0b505edb95740ba79f147997b70d829d94ca652ec6c
83e5bacd77f5d4ea4efd9d7a0242b025847aef2b82925e215981b2a144ae68df
841f76e0ef22ea00944904b74ee77f280d4c3e866ea872de5d114baf5853f776
883e32b10dcadbea46935addbfe6605b4abee444daae4cf8738a0f9b01d716eb
887234559284de5a780f21f480a95c7b46d61b34c03e25d8baa035b58479f292
892bacf0645bcc0092c243ef36ef6b8aa1e1927f978c76e60b60957869d26b74
8a0feac5df5dd947098cae3c47fcee1fb84a39129640ca017b9e04d1f84575fb
8ac79a74115b60c3b4b54550c919833d506ada4048511f35cda876454265b36c
8ecbeb88802774970ea96cff2c62d81e76be0490e7c0d91efa4d59b3474f7a37
8f8bd796c6c48318b4747336ea656380f76528c9fdeb0718d74e4bc899a901b8
921d50f7246f519517cda9429776b53501521536f5930c0ad97c5dbdbd2c6eee
983c92d42a12226d4d95fed540badf322bd8ad04fb3f800c055506b954684ce3
98836b0bc5b585cef81635c02ecac4f5306ccd8f9864af8bd3b0e29a190a379b
99dccbf87057758183709976d076912cc54c74635f24d3f24f13f3c879207039
9b506afb34351584ca292ccc7995622a6deba969bdb77d69dfe3292c90c890e2
9b8f60f7ac51d7862314c0d5da7aa472d1f8d5809ed48cd39f0da9c21d11f88a
9bc9e07dd365b0726b1a59368fc3e5911388e42008c5c16183e8e447b3fa3f2f
9ef4a4d507c89654de034cc0e7748ae8b7fa75833b8dcab629ef6c5bc0491809
a40b987825770fca279a72449c0bb112e4abbf23cd7c678a61576f22987f6054
a6376a822d4521ef04ffcbdcb4492581d0001443c45b248eb90e29c66631dc36
b30a5622429dbc81c34b080a474cf6ae746de046abedebc5dc804c099e709796
b5d792db42e0c5326d8928680756953a87ff25f5b3e0033a568d75a0fcfe451b
b8162a3356eb92af148f8c63940b35d513ae4d4c20b53e6a9a237965ad552adf
b8fe38d0e182d8d91e22edef360237164c04711db5fd7f304d83a56dbb520369
be40910037f36f6591e80fb5c76c91a7f4c91c0c3dbccdaaa9bbf4509c012351
be83787edbff91207dc09559865f0b0d9fbff59b0e5d1fcf2e05e3391b6ec3b0
bec747a001cad25f3763d2d2eb496d7458998d707fd7fac116bd26c6e30e2686
c075ea87e75a369b8dfbb58d7fffa3a052afdf58b00e1885ac78f7f4ac81a92d
c1496b2a1463bc1cf612b5d5f10719c56eac85f333990f4763d57680b68c8880
c1fee5bb5dcaaafedc97e15fd94bfd7da636f3b31db7745a7edc75c7f05f1bbf
c26d1d72dcdbfba8f0d930fe12869611d5bf1a4f2f54ca20b6c12342371d6161
c73e64aeea99514f620cc1391ab438541a0119bf2b0f688eb5ba57f2eda86b25
ce5a1259cd40d17e6ff41e6e2a39cb6f86c095b8b2b8969740c16b57159eddd2
d0ca3040ecf2861415cf7827b4e5b6ce284bd9876303012d581dd382d04f1ff0
d412dd57c2c9c660a25c245985b22d6afa43b8e8687eb8db28487ab819c7853a
d56f9b68cc59173bcd3c57538b6b24a694752fb6bcc5f8af7151ed2897e8ba8c
dd90f50244ed9da1f69c4ce09e14912b5bacb6f39d86bc7a494024c1d09d60e4
e51f5f7d4b7e84fb9a94acf4397b7065ba2e767bb1ea5707bb9ec9b2817e736e
e5ab39fd917dd128e0182d3b4f465331247042055fc059cea046e7a6d050678b
e87fa3c7672531aff90f97d3d7cf49c67f3b7ef9f201ddcda7d99065cd954ffd
e94f2d250306dffb317eaaa27631ec7470d1495d08bccc2ca0e4ebe84d746681
eaf2351a67e069d3714dbb9166112524140f55079b9d39bf9e04b0d130e64462
ec08ae2ceab5530035a3e4a0392ad0a026fbf00fbafcf07ecdbcd7018bc28e73
eec5313f7977a9058d34d4ed0ab0bb0b64d880ed5846a9654ad7a0a583022965
eec591891624ae844c21f66821b186997f587c78ba16a7e6ddcfb7f8c178368f
ef1c9398faa6bbf9e4bee5c0752e2f67864e1d8290cc53e4f07f3415a37b56d4
f4f4f694487fce60ed53c3ba2c71d9752ca23de23a1198c2002f029184c36dea
f77246fe8696c2b8d49e1e8954794ffa58e6957470d97713abd3cc8963bf0791
f8bd848c9aa70840f51ce4670bb58855e49ef6811b8138711f5c2f30fb6392f0
f97b12b4751f5d4257016cdec03aca22cb2aaaefd9d4e7b84397798abde2391b
f9e6234132b3e2d7730f2561f00e9347783657e88a06f6d82afd15c3463f50f6
feeafcd92d0f2ed799667c1c1eda20ac2ce0a35259822f2be4dec0977e08ab0e
bc730342fd06de6f9ea20ff3a60e307226ab3ddf70c3488cdcace1f151175715

Do security vendors detect this by any other names?

Other antivirus vendors’ names for this malware may include variations similar to the following:

A Variant Of OSX/PSW.Agent.CT, ABTrojan.AUOA-, BASH/Agent.CS!tr, BV:Dropper-DE [Trj], Class.trojan.amos, Generic.Trojan.Agent.L02KKB, HEUR:Trojan-PSW.OSX.Amos.ad, HEUR:Trojan.OSX.Amos.a, Mac.Siggen.324, MAC/Agent.CT!tr.pws, MacOS:Agent-APW [Trj], MacOS:AMOS-AF [Trj], MacOS:AMOS-AH [Trj], MacOS:AMOS-P [Trj], MacOS/ABTrojan.RXQD-, Malware.OSX/AVI.Agent.cpdfd, Osx.Trojan-QQPass.QQRob.Ikjl, Osx.Trojan-QQPass.QQRob.Psmw, OSX.Trojan.Agent.78VCMN, Osx.Trojan.Amos.Rsmw, OSX.Trojan.Gen.2, OSX/PSW.Agent.CS, RiskWare:MacOS/Agent.CB, RiskWare:MacOS/Agent.CS, Script.Trojan.Agent.5VWPZD, Shell.trojan.amos, Shell.trojan.macos, TR/AVI.Agent.bhmqa, TR/AVI.AMOS.bpkxb, Trojan (0040f5431), Trojan-PSW.OSX.Amos, Trojan:MacOS/Amos.CC!MTB, Trojan:MacOS/Multiverze, Trojan:Script/Wacatac.B!ml, Trojan.Generic.36896599 (B), Trojan.Generic.D232FF57, Trojan.Linux.Generic.401525 (B), Trojan.Linux.Generic.D6249A [many], Trojan.MAC.Generic.121578 (B), Trojan.MAC.Generic.D1DAEA [many], Trojan.OSX.Amos.i!c, Trojan.OSX.Psw, Trojan.Script.Amos.4!c, Trojan.Script.Generic.4!c, Trojan.TR/AVI.Agent.bhmqa, Trojan.TR/AVI.AMOS.bpkxb, UDS:Trojan.OSX.Amos, Win32.PSWTroj.Undef.a

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on X/Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on LinkedIn Follow Intego on Pinterest Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →