Maddie Stewart
Maddie graduated from Tufts University with Bachelor's degrees in International Relations and Spanish. She previously worked for CrowdStrike's Intelligence Analysis Cell's Latin America mission and conducted research in Spanish and Portuguese.
Currently, Maddie is employed as a senior intelligence analyst with CrowdStrike's Global Threat Analysis Cell where she focuses on enabling and commodity eCrime threats. She previously presented at Fal.Con, OBTS, and SleuthCon on the macOS information stealer ecosystem.
Session
Prior to 2023, commodity information stealers targeting macOS remained a niche activity rarely found advertised in cybercrime communities. The March 2023 release of COOKIE SPIDER’s Atomic macOS Stealer (aka AMOS) sparked rapid adoption among Russian-speaking “traffer” groups and, subsequently, the rise of many competitor stealer projects that continue to proliferate to this day.
This talk will trace the origins of AMOS and its main operator, COOKIE SPIDER, as well as profile its major competitors, touching on similarities and differences between each malware family, their customers, and novel distribution methods and trends. We will also showcase the use of crypto analysis to map relationships between stealer vendors, their customers, and their infrastructure.
The presentation will also highlight the ecosystem in which macOS malware vendors and users exist including the monetization of their infections via cryptocurrency theft, sale of logs, and the emergence of some of the first Pay-Per-Install (PPI) services leveraging macOS infections. We will also conclude our talk with a look at recent and future trends in commodity macOS malware development.