Malicious OpenClaw Skills Exploit User Trust to Deploy AMOS Malware
In a concerning development, cybercriminals have shifted their tactics to distribute the Atomic macOS Stealer (AMOS) malware by embedding it within malicious OpenClaw skills. This method exploits the trust users place in AI agent extensions, leading to significant data breaches.
Understanding AMOS and Its Capabilities
AMOS is a sophisticated malware-as-a-service (MaaS) tool designed to extract sensitive information from Apple devices. Its capabilities include:
– Harvesting credentials and browser data.
– Accessing cryptocurrency wallet details.
– Retrieving Telegram chats and VPN profiles.
– Extracting Apple keychain items.
– Collecting files from common directories like Desktop, Documents, and Downloads.
This extensive data collection poses a significant threat to user privacy and security.
The New Attack Vector: OpenClaw Skills
Traditionally, AMOS was disseminated through cracked software downloads. However, recent campaigns have seen threat actors embedding AMOS within malicious OpenClaw skills—add-on packages that enhance AI agent functionalities on platforms like OpenClaw. This approach represents a novel supply chain attack targeting AI agent workflows.
The Infection Process
The attack initiates with a seemingly benign SKILL.md file instructing the AI agent to install a counterfeit prerequisite named OpenClawCLI from a malicious external website. When processed by less cautious models like GPT-4o, the instruction may lead to silent installation or persistent prompts for manual installation. In contrast, more advanced models like Claude Opus 4.5 can identify the skill as suspicious and halt the process.
If the installation proceeds, a Base64-encoded command is fetched and executed, deploying a Mach-O universal binary compatible with both Intel-based and Apple Silicon Mac machines. Upon execution, macOS rejects the unsigned file, triggering a fake password dialogue box that deceives users into providing their system passwords, thereby granting the malware the necessary access to operate.
Detailed Examination of the Infection Chain
Once the user inputs their password, AMOS activates and begins its data collection process:
– User Credentials: Captures the machine’s username and password.
– File Extraction: Targets files from Desktop, Downloads, and Documents folders, including formats like .pdf, .csv, .kdbx, and .docx.
– Keychain Access: Retrieves Apple keychain credentials and Apple Notes.
– Browser Data: Extracts cookies, passwords, and credit card information from 19 different browsers.
– Cryptocurrency Wallets: Accesses data from over 150 cryptocurrency wallets.
The amassed data is then compressed into a ZIP archive and transmitted to a command-and-control (C&C) server at socifiapp[.]com.
Indicators of Compromise (IoCs)
To assist in identifying potential infections, the following IoCs have been associated with this campaign:
– Malicious Skill Delivery Site: hxxps://openclawcli[.]vercel[.]app/
– Payload Download Server: 91.92.242[.]30
– Payload Download URL: hxxp://91.92.242[.]30/ece0f208u7uqhs6x
Recommendations for Users
To mitigate the risk of infection, users are advised to:
1. Verify Skill Sources: Ensure that any OpenClaw skill originates from a reputable source before installation.
2. Exercise Caution with Password Prompts: Avoid entering system passwords prompted by unfamiliar tools or applications.
3. Utilize Isolated Environments: Test unvalidated skills in a controlled, isolated environment to prevent potential system compromise.
4. Implement Execution Containers: Use containers to limit the execution capabilities of AI agents, thereby reducing the potential impact of malicious activities.
By adhering to these practices, users can enhance their security posture and protect their systems from such sophisticated attacks.
