Malware, tea.app (AtomicStealer)

[Bill Cole]

On 2025-04-10 at 15:17:36 UTC-0400 (Thu, 10 Apr 2025 14:17:36 -0500)
Ryan Carsten Schmidt <ryandesign at macports.org>
is rumored to have said:

> On Apr 10, 2025, at 13:21, Forrest Aldrich wrote:
>> My malware checker has identified potential malware (AtomicStealer) 
>> distributed from MacPorts.  I'd like to confirm with the community 
>> what else is known:
>>
>>
>> /Applications/MacPorts/tea.app
>> ➜  /Applications cd MacPorts
>
> I know that tea is a text editor.
>
> https://ports.macports.org/port/tea
>
> I am not aware of it containing malware.

I uploaded the executable from the MacPorts binary package (x86/Sonoma)  
here:

https://www.virustotal.com/gui/file/114b5c6106adcc581253cac07343157b9e6ff4a477d294df977190517b27ab7b/detection

9 of the 63 AV tools used there mark it as malicious. Including 
Microsoft, Symantec, and Avast, which are usually pretty good with FPs.

The behavior in the VT sandbox is not definitively suspect, but it does 
try some network connections which could be problematic. I don't see why 
a text editor does all that on its own.

I was unable to build the port from source with MacPorts on Sonoma. It 
emits this in config stage, while executing qmake (ewww.)


Project WARNING: Qt has only been tested with version 13 of the platform 
SDK, you're using 14.
Project WARNING: This is an unsupported configuration. You may 
experience build issues, and by using
Project WARNING: the 14.5 SDK you are opting in to new features that Qt 
has not been prepared for.
Project WARNING: Please downgrade the SDK you use to build your app to 
version 13, or configure
Project WARNING: with CONFIG+=sdk_no_version_check when running qmake to 
silence this warning.

It then proceeds to crash out on missing includes (from the c++ tree?) 
in qt5 header files. It is not clear how the binary package got built 
with this problem. This raises the possibility of a compromise in the 
MacPorts build system.

> As far as I know, Atomic Stealer is distributed by tricking a user 
> into downloading and installing what looks like a browser update or a 
> cracked commercial application. It seems unlikely that it would appear 
> in an esoteric open source text editor so my initial assumption is 
> that this is a false positive from your malware checker.

That would be my first guess too, but the 9 hits in VT make me nervous.

Atomic Stealer is a trojan that has seen multiple variants, as it is 
designed to hide in or as other apps.


-- 
  Bill Cole
  bill at scconsult.com or billcole at apache.org
  (AKA @grumpybozo at toad.social and many *@billmail.scconsult.com 
addresses)
  Not Currently Available For Hire