TrojanSpy.MacOS.AMOS.A
Trojan:MacOS/Amos.D!MTB (MICROSOFT)
Windows
Threat Type: Trojan Spy
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Other Details
This Trojan Spy does the following:
- Upon execution, it prompts a fake warning alert asking for user’s password to lure the victim into inputting the password using osascript command, this password will be used to access the user’s keychain database – this is where sensitive information is stored such as passwords, certificates, and wallet information.
- osascript -e 'display dialog "macOS needs to access System settings %s Please enter your password." with title "System Preferences" with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns" default answer "" giving up after 30 with hidden answer
- It executes the following commands:
- system_profiler SPHardwareDataType → used to gather hardware information from the victim’s machine
- security 2>&1 > /dev/null find-generic-password -ga 'Chrome' | awk '{print $2}' → used to steal Chrome password
- Target browsers:
- Chrome
- Brave
- Edge
- Vivaldi
- Opera
- OperaGX
- Chromium
- Target wallets:
- Exodus
- Electrum
- TronLink
- Metamask
- Binance Chain
- Keplr
SOLUTION
Scan your computer with your Trend Micro product to delete files detected as TrojanSpy.MacOS.AMOS.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.