{ "id": "77ba3930-0dac-40b8-81ba-8d43045e90a1", "created_at": "2026-04-06T00:08:32.799788Z", "updated_at": "2026-04-10T03:37:09.361137Z", "deleted_at": null, "sha1_hash": "7dd057ab41b4f45ffa29e29508f2e9fe438236cb", "title": "Reversing FUD AMOS Stealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1700147, "plain_text": "Reversing FUD AMOS Stealer\r\nBy Tonmoy Jitu\r\nPublished: 2025-03-20 · Archived: 2026-04-05 14:06:58 UTC\r\nThe AMOS Stealer is a macOS malware known for its data theft capabilities, often delivered via an encrypted\r\nosascript (AppleScript) payload. In this blog, I’ll walk you through my process of reverse engineering a Fully\r\nUndetected (FUD) AMOS Stealer sample using LLDB, with Binary Ninja (Binja) as a reference for addresses, to\r\nextract its decrypted osascript payload. We’ll start with static analysis, identify and bypass the anti-VM logic,\r\ndiscover a partial payload, and finally use a Python script to extract the full decrypted payload.\r\nInitial Discovery\r\nWhile hunting for FUD malware, I came across a sample similar to one posted by the @MalwareHunterTeam.\r\nThis malware remained undetected on March 11, 2025, thanks to a single anti-VM command that halts execution\r\non QEMU and VMware virtual machines. The below sample screenshot (taken on March 11, 2025) confirms the\r\nFUD status and shows no security vendors flagged it as malicious, with a community score of 0/61.\r\nStatic analysis\r\nThe sample is a DMG file named Installer_v2.7.8.dmg . Upon mounting, instructions were found directing the\r\nuser to right-click the Installer binary and select \"Open.\" This technique is commonly used on macOS to\r\nbypass Gatekeeper , the security mechanism that enforces code signing and prevents unverified apps from\r\nrunning unless explicitly allowed by the user.\r\nhttps://denwp.com/amos-stealer-fud/\r\nPage 1 of 13\n\nExtracting the contents of the DMG revealed its folder structure, including hidden files like .background and\r\n.HFS+ Private Directory Data , a volume icon, and the main Installer binary along with its resource file.\r\nRunning the file command on the Installer binary confirmed it’s a Mach-O universal binary with two\r\narchitectures: x86_64 (for Intel Macs) and arm64 (for Apple Silicon Macs). This makes the binary compatible\r\nwith a wide range of macOS systems.\r\nTo look for readable commands or strings, I ran the strings command on the Installer binary. However, the\r\noutput revealed only random blobs of data, indicating that the strings, including the osascript payload, are\r\nlikely encrypted or encoded to evade static analysis.\r\nhttps://denwp.com/amos-stealer-fud/\r\nPage 2 of 13\n\nFor a deeper static analysis, Detect It Easy (DIE) was used to examine the file properties. DIE confirmed that\r\nthe Installer is a Mach-O FAT binary supporting x86_64 and arm64 architectures. The x86_64 slice targets\r\nmacOS 10.15.0 (or later), while the arm64 slice targets macOS 11.0.0 (or later). Both are 64-bit executables\r\ncompiled with clang and signed with codesign to pass Gatekeeper checks.\r\nUsing LLDB debugger\r\nWith static analysis revealing obfuscated strings, dynamic analysis was necessary to uncover the osascript\r\npayload.\r\nBinary Ninja was used to analyze the binary’s structure and identify key addresses. In Binja, the entry point at\r\n0x1008722a0 (labeled _start() , but corresponding to ___lldb_unnamed_symbol50082 in LLDB), appeared\r\nhttps://denwp.com/amos-stealer-fud/\r\nPage 3 of 13\n\ncentral to the malware’s logic. I also noted several calls to system() , which AMOS frequently uses to execute its\r\nosascript payloads.\r\nBypassing Anti-VM logic using LLDB\r\nAMOS Stealer often employs anti-VM techniques to evade analysis in sandboxed environments, typically by\r\nquerying system information to detect virtualization signatures like QEMU or VMware .\r\nThe binary was loaded into LLDB, and initial breakpoints were set to catch key functions potentially used for anti-VM or anti-debugging checks:\r\n(lldb) breakpoint set --name ptrace\r\n(lldb) breakpoint set --name system\r\n(lldb) breakpoint set --address 0x100001220\r\n(lldb) breakpoint set --name pthread_create\r\n(lldb) breakpoint set --name sysctl\r\nhttps://denwp.com/amos-stealer-fud/\r\nPage 4 of 13\n\nThese breakpoints target:\r\nptrace: For debugger detection.\r\nsystem: For the anti-VM osascript call.\r\n0x100001220: For a sysctl check (system information query).\r\npthread_create: For threaded checks (e.g., parallel anti-debugging logic).\r\nsysctl: For additional VM detection.\r\nI resumed execution with continue , and the first breakpoint hit was at pthread_create , indicating the program\r\nwas attempting to create a thread—likely for additional checks or anti-debugging logic. This was bypassed by\r\nforcing the pthread_create call to return immediately with a success status ( 0 ), neutralizing the thread\r\ncreation:\r\n(lldb) thread return 0\r\n(lldb) continue\r\nhttps://denwp.com/amos-stealer-fud/\r\nPage 5 of 13\n\nThe next breakpoint hit was at system() . The main thread was confirmed, and the command string passed to\r\nsystem() was inspected:\r\n(lldb) thread list\r\n(lldb) thread select 1\r\n(lldb) p (char*)$rdi\r\nThe %rdi register, which holds the first argument to a function in the x86_64 calling convention, revealed the\r\nanti-VM osascript command. This script checks for QEMU or VMware signatures in the system’s memory\r\ndata, exiting with status 42 if a VM is detected, or 0 if not.\r\nosascript -e 'set memData to do shell script \\\"system_profiler SPMemoryDataType\\\"\\n\\tif memData contains \\\"QEMU\r\nI checked the return value of system() in %eax , the register used to store return values in x86_64 . Then I\r\npatched %eax to 0 to trick the program into thinking no VM was present.\r\nThe current frame was disassembled to understand the logic after the system() call:\r\n(lldb) disassemble --frame\r\nThe disassembly revealed hardcoded strings loaded into stack buffers, likely encrypted data or keys, and\r\nconfirmed the two additional system() calls at 0x10087248b and 0x1008724b4 .\r\nhttps://denwp.com/amos-stealer-fud/\r\nPage 6 of 13\n\nThe code was stepped through to ensure the patch worked. At 0x100872370 , the program compared the value at\r\n-0xa0(%rbp) to 0 :\r\n(lldb) p/x *(int*)($rbp - 0xa0)\r\n(int) 0x00000000\r\nSince %eax was patched to 0 , the value at -0xa0(%rbp) was 0 , so the je jump to 0x10087240a was\r\ntaken, allowing execution to continue.\r\nWith the anti-VM check bypassed, the focus shifted to finding the main osascript payload. I stepped to\r\n0x10087240a and set a breakpoint at the second system() call to inspect its command:\r\n(lldb) breakpoint set --address 0x10087249b\r\n(lldb) continue\r\nhttps://denwp.com/amos-stealer-fud/\r\nPage 7 of 13\n\nWhen the breakpoint hit, the argument in %rdi was dumped:\r\n(lldb) memory read --size 1 --format char --count 200 $rdi\r\nThis was not the osascript payload but a cleanup command to detach the process ( disown ) and kill the\r\nTerminal app ( pkill Terminal) , likely to hide its activity.\r\nThe third system() call was targeted next, with a breakpoint set at 0x1008724b4 :\r\n(lldb) breakpoint set --address 0x1008724b4\r\n(lldb) continue\r\nWhen the breakpoint hit, %rdi was dumped again:\r\nmemory read --size 1 --format char --count 500 $rdi\r\nhttps://denwp.com/amos-stealer-fud/\r\nPage 8 of 13\n\nThis was the osascript payload, starting with osascript -e 'set release to true... , indicating the\r\nbeginning of AMOS Stealer’s data theft logic, including hiding the Terminal window and defining a filesizer\r\nfunction to process files.\r\nTo extract the entire payload without guessing its size, LLDB’s Python scripting was employed to read the string\r\nin %rdi until its null terminator ( \\0 ). Since system() expects a null-terminated C-style string, this approach\r\nensures the entire payload is captured:\r\nimport lldb\r\n# Attach to the current process\r\nprocess = lldb.debugger.GetSelectedTarget().GetProcess()\r\n# Evaluate $rdi to get its value\r\nframe = lldb.debugger.GetSelectedTarget().GetProcess().GetSelectedThread().GetSelectedFrame()\r\n# frame.EvaluateExpression(\"$rdi\") gets the address stored in $rdi.\r\nrdi_value = frame.EvaluateExpression(\"$rdi\").GetValueAsUnsigned()\r\n# ReadCStringFromMemory reads from that address until \\0, up to 65536 bytes (64 KB). You can change this value d\r\nerror = lldb.SBError()\r\npayload = process.ReadCStringFromMemory(rdi_value, 16384, error)\r\n# Print payload\r\nprint(payload)\r\n# Exit script mode\r\nquit()\r\nAn initial buffer of 16384 bytes was used, but only after determining the payload exceeded 6000 bytes, the buffer\r\nwas increased to 65536 bytes to ensure complete capture.\r\nThe script output the full osascript payload, which aligned with the format of other AMOS Stealer payloads.\r\nhttps://denwp.com/amos-stealer-fud/\r\nPage 9 of 13\n\nIf you’re analyzing similar malware, this method—combining manual debugging with scripted automation—can\r\nsave you hours of guesswork.\r\nAmos Stealer Payload\r\nAtomic MacOS stealer malware is designed to exfiltrate sensitive information from macOS systems. It leverages\r\nAppleScript to perform a variety of malicious tasks, including stealing browser data, cryptocurrency wallet\r\ninformation, and personal files, before sending the collected data to a remote server.\r\nStealth and persistence\r\nHides its execution by setting the Terminal window to invisible.\r\nFile collection\r\nBrowsers: Targets Chromium-based browsers (e.g., Google Chrome, Brave, Edge, Vivaldi, Opera) and\r\nFirefox, extracting cookies, login data, web data, and extension settings (e.g., crypto wallet plugins).\r\nCryptocurrency Wallets: Steals data from desktop wallets like Electrum by copying wallet files from\r\nspecific directories.\r\nTelegram: Grabs Telegram Desktop data, including session files from the tdata folder.\r\nFile Grabber: Collects files with specific extensions (e.g., .txt, .pdf, .docx, .wallet, .key) from Desktop,\r\nDocuments, and Downloads folders, with a size limit of 30MB total.\r\nSystem Information: Captures hardware, software, and display details using system_profiler .\r\nhttps://denwp.com/amos-stealer-fud/\r\nPage 10 of 13\n\nPassword collection\r\nAttempts to retrieve the user’s Chrome master password via the security command. Prompts for the system\r\npassword if needed, using a deceptive dialog disguised as a legitimate \"System Preferences\" request.\r\nData exfiltration\r\nArchives stolen data into a ZIP file ( /tmp/out.zip ) and uploads it to a hardcoded C2 (command-and-control)\r\nserver ( hxxp[://]95[.]164[.]53[.]3/contact ) via a curl POST request.\r\nhxxp[://]95[.]164[.]53[.]3/contact\r\nIOC\r\nSHA256:\r\n3f85a1c1fb6af6f156f29e9c879987459fb5b9f586e50f705260619014591aad\r\n====================================================\r\nC2: 95[.]164[.]53[.]3\r\n💡\r\nAdditional IOCs (196 file hashes) can be found related to AMOS Stealer in my git repository.\r\nYara\r\nrule AMOS_Stealer_MacOS_AppleScript {\r\n meta:\r\n description = \"Detects AMOS Stealer malware payload written in AppleScript targeting macOS\"\r\n author = \"Tonmoy Jitu\"\r\n date = \"2025-03-19\"\r\nhttps://denwp.com/amos-stealer-fud/\r\nPage 11 of 13\n\nthreat_type = \"Stealer Malware\"\r\n platform = \"macOS\"\r\n strings:\r\n $func1 = \"filesizer\" ascii\r\n $func2 = \"GrabFolderLimit\" ascii\r\n $func3 = \"GrabFolder\" ascii\r\n $func4 = \"parseFF\" ascii\r\n $func5 = \"chromium\" ascii\r\n $func6 = \"telegram\" ascii\r\n $func7 = \"filegrabber\" ascii\r\n $func8 = \"send_data\" ascii\r\n $path1 = \"/tmp/out.zip\" ascii\r\n $path2 = \"Library/Application Support/\" ascii\r\n $path3 = \"Telegram Desktop/tdata/\" ascii\r\n $cmd1 = \"osascript -e\" ascii\r\n $cmd2 = \"system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType\" ascii\r\n $cmd3 = \"curl -X POST\" ascii\r\n $c2 = \"http://95.164.53.3/contact\" ascii\r\n $header1 = \"user: cYZDDJE-ruVrlQxunrDdZoQY2qKvdxJ6Q/11uusIeNA=\" ascii\r\n $header2 = \"BuildID: zNJZpzGN34Rrvy1zljsQgIP1/9leq2QuwynS7XIo2d4=\" ascii\r\n $prompt = \"Required Application Helper.\\nPlease enter password for continue.\" ascii\r\n $browser1 = \"Google/Chrome/\" ascii\r\n $browser2 = \"BraveSoftware/Brave-Browser/\" ascii\r\n $wallet = \"deskwallets/Electrum\" ascii\r\n condition:\r\n (1 of ($func*)) and\r\n (\r\n (2 of ($path*)) or\r\n (1 of ($cmd*)) or\r\n ($c2) or\r\n (1 of ($header*)) or\r\n ($prompt)\r\n ) and\r\n (1 of ($browser*) or $wallet)\r\n}\r\nReference:\r\nhttps://denwp.com/amos-stealer-fud/\r\nPage 12 of 13\n\nSource: https://denwp.com/amos-stealer-fud/\r\nhttps://denwp.com/amos-stealer-fud/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://denwp.com/amos-stealer-fud/" ], "report_names": [ "amos-stealer-fud" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434112, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7dd057ab41b4f45ffa29e29508f2e9fe438236cb.pdf", "text": "https://archive.orkl.eu/7dd057ab41b4f45ffa29e29508f2e9fe438236cb.txt", "img": "https://archive.orkl.eu/7dd057ab41b4f45ffa29e29508f2e9fe438236cb.jpg" } }