Emerging Threats//
CrazyHunter Ransomware
CrazyHunter is a ransomware campaign targeting healthcare that weakens endpoint defenses and escalates privileges before encrypting systems at scale.
Threat Overview - AMOS Stealer
AMOS Stealer, also referred to as Atomic Stealer, is a sophisticated macOS-targeting infostealer that has emerged as a persistent threat to individuals and organizations over the past several months. First emerging in 2023, the malware is primarily designed to exfiltrate sensitive information, including browser-stored credentials, system configuration details, cryptocurrency wallet data, and other personal or proprietary files. It was originally observed leveraging phishing campaigns and malicious payloads distributed via compromised applications or social engineering, however it has evolved to adopt a modular architecture, allowing operators to dynamically extend its capabilities based on targeted environments. This evolution demonstrates a shift toward more persistent and evasive operations, including the use of code-signing bypasses and stealth techniques that avoid macOS security controls, increasing the likelihood of prolonged undetected compromise.
It is worth noting that several variants derived from AMOS stealer's codebase have also emerged, adding new functionality and features, such as Odyssey Stealer, SHAMOS, Banshee Stealer, and Cthulhu Stealer.
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
AMOS Stealer Hunt Collection
Related Hunt Packages
Inline Applescript Execution On Macos - Potential Unauthorized Script Activity
This Hunt Package is designed to identify the execution of AppleScript on macOS systems by targeting the use of the osascript interpreter with command-line arguments typically associated with AppleScript code (such as inline execution with -e, script files with the .scpt extension, or JavaScript-based scripts with the .js extension). Identifying such executions can be indicative of attackers attempting to leverage the normal use of AppleScript to execute malicious commands, bypass security controls, or perform lateral movement.
System Profiler Usage For Macos Reconnaissance - Potential Information Gathering
This hypothesis aims to identify instances where System Profiler is used on MacOS systems for information gathering. While System Profiler is a legitimate utility for monitoring system details, it can be abused by attackers to gather crucial system information. This activity can be part of reconnaissance efforts, enabling the threat actor to fine-tune their strategies for subsequent malicious steps.
Usage Of Chmod To Enable Execution - Potential Payload Staging
This hunt package identifies instances where the 'chmod' command is used to modify file permissions, specifically focusing on changes that grant executable rights. By correlating these events with user contexts and known file paths, the package aims to highlight potentially malicious activities, such as the preparation of a system for exploitation or the setup of persistence mechanisms by unauthorized users.
Base64 Encoded Command Execution
This Hunt Package was designed to take a broader look at encoded command execute to account for varied process execution that may utilize encoded command execution. The provided query logic aims to identify valid variations of the -EncodedCommand parameter utilized by PowerShell . This is commonly used to encode or obfuscate commands via Base64 encoding, and not all occurrences are malicious. For example, benign complex commands may require encoding to properly run on a target system. Analysis of the encoded command by base64 decoding the encoded will likely be necessary to validate its legitmacy.
Use Of Dscl On Root User - Potential Credential Testing Via Shell
This Hunt Package examines the use of the dscl command, specifically with the -authonly option, executed via shell scripts (bash or sh) for authentication checks of the root user. Threat actors may leverage this legitimate functionality in a malicious manner to test for valid root credentials, posing risks such as unauthorized access or privilege escalation. By identifying these specific shell-based executions, we aim to pinpoint potential misuse of directory service commands indicative of credential testing and other nefarious activities.
Plist File Created In Common Launch At Boot Folders In Macos - Potential Persistence
This Hunt Package identifies the creation of .plist files in macOS directories commonly used for launching processes at boot, such as /Library/LaunchDaemons/ and /Library/LaunchAgents/. These locations are often targeted for persistence by malware. Investigate any unexpected .plist file creation as it may indicate malicious activity.
Commonly Abused Macos Volumes Names Loaded In The Background - Potential Malicious Package
This Hunt Package is designed to identify commonly utilized package names to trick users into opening the package and running its contents. The hypothesis also covers volumes potentially loaded by malware in the background, to evade identification by the user. This tactic is used maliciously by information stealers.