People often ask whether Macs really need antivirus software. If you browse Apple forums, you’ll inevitably find people who claim you don’t need malware protection. We’ve debunked Mac malware myths in the past, and we’ve written literally hundreds of articles about malware that infects Apple devices.
But if you needed any additional convincing, Intego’s team of malware analysts recently discovered more than 99 unique new samples of stealer malware. This suggests that Mac malware is not so rare; rather, threat actors are pumping out numerous samples, trying to evade detection in wide-reaching campaigns.
Here’s everything you need to know to stay safe from the latest Mac malware threats.
Intego’s malware analysis team recently encountered 99 unique samples of Base64-encoded shell scripts. The contents of these files look similar to the following (shortened to fit better):
/bin/bash bFJfVXss='IyEvYmluL2Jhc2gKb3Nhc2NyaXB0IC1lICdv[…]' IKBIKmYz='dXBWb2x1bWUgaXMgIiIgdGhlbgogICAgICAg[…]' dtIUkpzw='CAgIHNldCBleGVjdXRhYmxlTmFtZSB0byA[…]==' encoded_script="${bFJfVXss}${IKBIKmYz}${dtIUkpzw}" bash -c "$(echo "$encoded_script" base64 -D)"
If that looks like incomprehensible gobbledygook, that’s exactly the point. This malware uses a common technique called obfuscation to obscure or hide what it really does. Specifically, the script incorporates three Base64-encoded strings, mashes them together, decodes them, and runs the decoded output as a command.
So what does the decoded output look like? It’s another bash script, containing AppleScript code with embedded shell scripts. This code repeatedly checks for the presence of a mounted volume named Installer. If it finds a volume with that name, it attempts to copy an executable file (app), also named Installer, to the hidden /tmp
folder on your Mac.
Next, it tries to run these three commands:
do shell script "xattr -c " & quoted form of tmpExecutablePath […] do shell script "chmod +x " & quoted form of tmpExecutablePath […] do shell script quoted form of tmpExecutablePath
The command xattr -c
removes all extended attributes from a file; in this case, the intent is to ensure the file doesn’t have the com.apple.quarantine
attribute that could prevent it from running. Next, chmod +x
makes the file executable, i.e. runnable as an application from the command line. Finally, the script runs the malicious /tmp/Installer
application.
And what about these fake “Installer” applications that the script looks for, copies, and runs?
They’re actually stealer malware, designed to gather and exfiltrate cryptocurrency wallets, browser cookies, Microsoft Word documents, and more.
As we’ve mentioned in previous articles, cookies can give attackers access to accounts your browsers are logged into—bypassing your password and any two-factor authentication methods.
Interestingly, these stealers even target relatively obscure browsers that we’ve mentioned before: Pale Moon and Waterfox, which are forks (derivatives) of Mozilla Firefox. Of course, they also target more common browsers, including Safari, Firefox, and Google Chrome. These stealers are also designed to extract data from several other Chromium-based browsers, such as Arc, Brave, Microsoft Edge, Opera, Opera GX, and Vivaldi.
If you use Intego VirusBarrier, you’re already protected from this malware. Intego detects samples from this campaign as OSX/Amos.ext, OSX/Amos.gen, OSX/Amos.scpt, OSX/PSW.ext, Python/Stealer.gen, and virus/OSX/AVI.Agent.cpdf.
If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s latest Mac operating system, macOS Sequoia.
One of VirusBarrier’s unique features is that it can scan for malicious files on an iPhone, iPad, or iPod touch in user-accessible areas of the device. Just attach your iOS or iPadOS device to your Mac via a USB cable and open VirusBarrier.
If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from malware, too.
Following are SHA-256 hashes of malware samples from this campaign:
05d0191859cb1f8d1351b1ec557a7b9dc669d9143b93c50a69ddfdafc6abb030 07acd31fccd8ac0d305913f0c35b226700d5cc641f012aadde26a6ccb6358b33 0e04423fc0ad2de4ce31d454b4bd89d5744cf8fbb5e1546ba06b8ba387d6eb5f 0f7e3138899df8304c2da1b3a5ce18f721247e943f9f9ee17df375a07403b844 13b564fd0913f98d78d0fdef5f1e9b6de0bd480bd708ab97b150511e6168180c 1491e2a46bc2fe5f1072652bb828d7d286d258e9d46bf5ca3ca97d6ef8f24f80 184073c67cbd557cac9ccc17e60c2061965e90f776d219afc9638b16e0a96115 18525523466ca2f612b403f6f2cb9ed2ae24a8558fcf38e3a2589b0c489ff0bd 1998a4ec680c551fe9635b21bbd687f843984020b936fc3e99dd83bf7bf03100 1b6ac1be6b3f6ebeafe40e2fab4e6383ba90f988e2570833cabac00eae167087 1c636552377f72f010c192ca94b036f7ed31fe96180e427a247a7785f5af1b47 2231bc2928bef007b52ed6b1d8409285a6455f159a60d2f60f7ef1068ebe9bc5 232646f8322aa0b84f463d7a0df20c1ed4c8bc8b06bd885df06e3f5a430aebd8 245ca71a4f2c4e7754ddeb37cbb4132769035e0d87f01865e525faffaa4cb5b6 2557f8f927aa6c9e1cc1226793776bdb2529cc69a0b4d9d8222581fa570ffc15 2574dada45cef789a4987a92bd45f8dbfdadd68951a6b9229772138be9b248f8 25e8f9885d4c8d5ae505671f10ce51717f37e18be27494f5e3d7ba73a1b575ab 27556f569018e8b933aaf360c6b9df3da56a0dd63946c66810309692043a39c3 2a2e815fc4898fb1e6c25240e55355f8454191f1049f7d1222c4c41a66582d6a 3231ab1a51a2241f1ba995bb0abb53f633cd69eee0a30936edf1bac8fe304d3c 32cd47bce63122b7437cba4e4ef80f9782b3db2ca745c2eaa63059a815d9a122 3e55d3c06b5c182cbd2c652abe3f42b02b1fe20cf9d98cf254ba50db86d18cfd 3fcdb4e0e6fbc95a784f102ca1df2985e2bb6593a095695815ece654a5a6d871 40c2cb04c62079e4a922a87c3da93a5dad3ca1b1af60528e02aed8cbaa103eea 443e64c2d907f2d8e538381563318fc0044414577e6e3f756b0e17dc8c92438f 4d1663bdce1b5b933ed46cbcab5525cc3678ec0fea2fe5c804304a29313965b3 4d173201eb8fce4ef09d7136ce13b51a30353dc20de1d19d247e1b0a3c498f5a 4e9a17c8d6a767763a3cdd0916d6f06cc1c8f6efc3a127bafd58cbbecda205f9 52e03571d1849dadbe76eb726accdd1b57fea8353937391ea6fa2b6c5f5f5acb 53094b1c1cdf8dca3614f120920c490292b7c27ba1ae081e7c516f4a4193b03c 53300d49d53f151ddf4ae8f0c440baf473c5b34328cc78558e02006fa53f203f 54c1f2edf60778f188540017f90702e69073e3cacdbc57e42ccf0cbe8a1d1d1c 558ced01205a61cc50c2916ebd602780c20d0ca529eb0852ed1336040d38d328 58ed408137187dd4908f6ac5b3455577c92830d62ad03587cd128b552e284f81 5cab898dab1a62cf5ff22814be1b850b19de3d61287efb99b4b1509ce68232cc 5d807cca33f30f188b7243b85015da74a03be0cf7a8b4d2c2f292d5a932e9dec 5f944788b4b0bf4ead295ce15bb3d07cb4118a8f1b1b86e1e6677efbab2cb0bf 6124b4be45e5538814f155d1783a3ec10f77a4cfa208a151888969ce5b5967a4 615235a5ec577ccc3eee2786f6600b1822dfb7bb3d2331029a28f9382734f8ff 662d53dda59bbffca9b51ca7a66f57e20dafb144754aaa6324ab90ce8867e481 667be64cb8e04f88f85a790cb50a6f13254467ed427dc0aaaf1a0198c5fb4537 671ea06a6c2666cfca6ea6378bf3288b3f6ba3d115311bbee3d6f5e455ef4626 690996789726b4a528c1efec030032e479284d950961e623e5cba68bb72d33d9 726d057e9dc97ca9ee876d10a3a76bba21359c922bc39a08887a6a8222ae8f09 7c87ad713186ca53e9bceac16f05d2837195499c7a5f14fcbf12ec9eeb17ddbc 7da3cce80969ba7265dd31819fd93ffdd8e8170dd57e8e93a02b3b0c0dd89560 7f8bdbbb901d822beabf4d8baeaa0d5a58c7b2815618c656e6579a73056b6285 835c9425a4602fee6d81f0b505edb95740ba79f147997b70d829d94ca652ec6c 83e5bacd77f5d4ea4efd9d7a0242b025847aef2b82925e215981b2a144ae68df 841f76e0ef22ea00944904b74ee77f280d4c3e866ea872de5d114baf5853f776 883e32b10dcadbea46935addbfe6605b4abee444daae4cf8738a0f9b01d716eb 887234559284de5a780f21f480a95c7b46d61b34c03e25d8baa035b58479f292 892bacf0645bcc0092c243ef36ef6b8aa1e1927f978c76e60b60957869d26b74 8a0feac5df5dd947098cae3c47fcee1fb84a39129640ca017b9e04d1f84575fb 8ac79a74115b60c3b4b54550c919833d506ada4048511f35cda876454265b36c 8ecbeb88802774970ea96cff2c62d81e76be0490e7c0d91efa4d59b3474f7a37 8f8bd796c6c48318b4747336ea656380f76528c9fdeb0718d74e4bc899a901b8 921d50f7246f519517cda9429776b53501521536f5930c0ad97c5dbdbd2c6eee 983c92d42a12226d4d95fed540badf322bd8ad04fb3f800c055506b954684ce3 98836b0bc5b585cef81635c02ecac4f5306ccd8f9864af8bd3b0e29a190a379b 99dccbf87057758183709976d076912cc54c74635f24d3f24f13f3c879207039 9b506afb34351584ca292ccc7995622a6deba969bdb77d69dfe3292c90c890e2 9b8f60f7ac51d7862314c0d5da7aa472d1f8d5809ed48cd39f0da9c21d11f88a 9bc9e07dd365b0726b1a59368fc3e5911388e42008c5c16183e8e447b3fa3f2f 9ef4a4d507c89654de034cc0e7748ae8b7fa75833b8dcab629ef6c5bc0491809 a40b987825770fca279a72449c0bb112e4abbf23cd7c678a61576f22987f6054 a6376a822d4521ef04ffcbdcb4492581d0001443c45b248eb90e29c66631dc36 b30a5622429dbc81c34b080a474cf6ae746de046abedebc5dc804c099e709796 b5d792db42e0c5326d8928680756953a87ff25f5b3e0033a568d75a0fcfe451b b8162a3356eb92af148f8c63940b35d513ae4d4c20b53e6a9a237965ad552adf b8fe38d0e182d8d91e22edef360237164c04711db5fd7f304d83a56dbb520369 be40910037f36f6591e80fb5c76c91a7f4c91c0c3dbccdaaa9bbf4509c012351 be83787edbff91207dc09559865f0b0d9fbff59b0e5d1fcf2e05e3391b6ec3b0 bec747a001cad25f3763d2d2eb496d7458998d707fd7fac116bd26c6e30e2686 c075ea87e75a369b8dfbb58d7fffa3a052afdf58b00e1885ac78f7f4ac81a92d c1496b2a1463bc1cf612b5d5f10719c56eac85f333990f4763d57680b68c8880 c1fee5bb5dcaaafedc97e15fd94bfd7da636f3b31db7745a7edc75c7f05f1bbf c26d1d72dcdbfba8f0d930fe12869611d5bf1a4f2f54ca20b6c12342371d6161 c73e64aeea99514f620cc1391ab438541a0119bf2b0f688eb5ba57f2eda86b25 ce5a1259cd40d17e6ff41e6e2a39cb6f86c095b8b2b8969740c16b57159eddd2 d0ca3040ecf2861415cf7827b4e5b6ce284bd9876303012d581dd382d04f1ff0 d412dd57c2c9c660a25c245985b22d6afa43b8e8687eb8db28487ab819c7853a d56f9b68cc59173bcd3c57538b6b24a694752fb6bcc5f8af7151ed2897e8ba8c dd90f50244ed9da1f69c4ce09e14912b5bacb6f39d86bc7a494024c1d09d60e4 e51f5f7d4b7e84fb9a94acf4397b7065ba2e767bb1ea5707bb9ec9b2817e736e e5ab39fd917dd128e0182d3b4f465331247042055fc059cea046e7a6d050678b e87fa3c7672531aff90f97d3d7cf49c67f3b7ef9f201ddcda7d99065cd954ffd e94f2d250306dffb317eaaa27631ec7470d1495d08bccc2ca0e4ebe84d746681 eaf2351a67e069d3714dbb9166112524140f55079b9d39bf9e04b0d130e64462 ec08ae2ceab5530035a3e4a0392ad0a026fbf00fbafcf07ecdbcd7018bc28e73 eec5313f7977a9058d34d4ed0ab0bb0b64d880ed5846a9654ad7a0a583022965 eec591891624ae844c21f66821b186997f587c78ba16a7e6ddcfb7f8c178368f ef1c9398faa6bbf9e4bee5c0752e2f67864e1d8290cc53e4f07f3415a37b56d4 f4f4f694487fce60ed53c3ba2c71d9752ca23de23a1198c2002f029184c36dea f77246fe8696c2b8d49e1e8954794ffa58e6957470d97713abd3cc8963bf0791 f8bd848c9aa70840f51ce4670bb58855e49ef6811b8138711f5c2f30fb6392f0 f97b12b4751f5d4257016cdec03aca22cb2aaaefd9d4e7b84397798abde2391b f9e6234132b3e2d7730f2561f00e9347783657e88a06f6d82afd15c3463f50f6 feeafcd92d0f2ed799667c1c1eda20ac2ce0a35259822f2be4dec0977e08ab0e bc730342fd06de6f9ea20ff3a60e307226ab3ddf70c3488cdcace1f151175715
Other antivirus vendors’ names for this malware may include variations similar to the following:
A Variant Of OSX/PSW.Agent.CT, ABTrojan.AUOA-, BASH/Agent.CS!tr, BV:Dropper-DE [Trj], Class.trojan.amos, Generic.Trojan.Agent.L02KKB, HEUR:Trojan-PSW.OSX.Amos.ad, HEUR:Trojan.OSX.Amos.a, Mac.Siggen.324, MAC/Agent.CT!tr.pws, MacOS:Agent-APW [Trj], MacOS:AMOS-AF [Trj], MacOS:AMOS-AH [Trj], MacOS:AMOS-P [Trj], MacOS/ABTrojan.RXQD-, Malware.OSX/AVI.Agent.cpdfd, Osx.Trojan-QQPass.QQRob.Ikjl, Osx.Trojan-QQPass.QQRob.Psmw, OSX.Trojan.Agent.78VCMN, Osx.Trojan.Amos.Rsmw, OSX.Trojan.Gen.2, OSX/PSW.Agent.CS, RiskWare:MacOS/Agent.CB, RiskWare:MacOS/Agent.CS, Script.Trojan.Agent.5VWPZD, Shell.trojan.amos, Shell.trojan.macos, TR/AVI.Agent.bhmqa, TR/AVI.AMOS.bpkxb, Trojan (0040f5431), Trojan-PSW.OSX.Amos, Trojan:MacOS/Amos.CC!MTB, Trojan:MacOS/Multiverze, Trojan:Script/Wacatac.B!ml, Trojan.Generic.36896599 (B), Trojan.Generic.D232FF57, Trojan.Linux.Generic.401525 (B), Trojan.Linux.Generic.D6249A [many], Trojan.MAC.Generic.121578 (B), Trojan.MAC.Generic.D1DAEA [many], Trojan.OSX.Amos.i!c, Trojan.OSX.Psw, Trojan.Script.Amos.4!c, Trojan.Script.Generic.4!c, Trojan.TR/AVI.Agent.bhmqa, Trojan.TR/AVI.AMOS.bpkxb, UDS:Trojan.OSX.Amos, Win32.PSWTroj.Undef.a
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: