VMRay Labs found a DMG file containing a malicious Shell Script used to download and execute Atomic Stealer remained fully undetected on VirusTotal for two days.
The Shell Script applies basic obfuscation via encoding and shows strong indicators to be AI generated due to its comments, proper error handling, and logging.
While the stealer capability is mainly written in AppleScript, the loader component is shipped as a universal Mach-O binary, targeting both, x86- and ARM-based systems.
0 / 60 detections on VirusTotal on February 3rd 2025
In a nutshell:
No detections on VT for two days (6/60 detections as of today)
DMG file that uses a likely AI generated Shell Script as entry point
Shell Script drops a Mach-O universal binary for x86 and ARM architecture
Executable decodes Atomic Stealer’s AppleScript (osascript) with a custom base64 alphabet
Sandbox evasion via checking known usernames: maria, run, jackiemac, bruno
User’s password is collected via AppleScript by simply asking the user for it
Tech Insights Deep Dive of April:
Detection Strategies & Operational Excellence
join VMRay for two powerhouse webinars designed to sharpen your threat detection and response capabilities — featuring a special joint session with Red Canary:
Live session's over. Watch the on-demand video to learn how VMRay and Red Canary combine forces to deliver faster, smarter threat detection!