• The AMOS stealer targets wallets on MacOS devices to drain the funds they hold.
  • Its developers advertise it as popular applications used in the MacOS ecosystem, only to have users download the malware from spoofed sites that look like the real deal.

As a seasoned analyst with over two decades of experience in the digital security landscape, I’ve seen my fair share of malware, but the AMOS stealer is truly a new breed. The clever tactics used by ‘Crazy Evil’ to distribute this malicious software are nothing short of impressive – it’s like watching a masterful game of cat and mouse, except in this case, the mouse isn’t winning.


As a crypto investor using a Mac device, I recently became aware of a concerning update to the AMOS malware. This malicious software, now known as Atomic MacOS, has been enhanced to mimic wallet applications running on my system. The notorious group ‘Crazy Evil’ is reportedly promoting this dangerous tool through Google AdSense, disguising it as familiar apps such as Loom, Callzy, and Figma. It’s essential for me to remain vigilant and cautious about the apps I download to protect my digital assets.

As a crypto investor, I recently discovered that my preferred cybersecurity firm, Moonlock, unveiled some concerning findings about an insidious scheme involving the AMOS stealer. It seems that fraudsters are using deceptive tactics to lure unsuspecting users into downloading this malicious software.

Malware Targeting Mac Devices Can Clone Wallets and Steal Crypto

“On your left, you’ll find the genuine Loom site. To your right, there’s a fraudulent, misleading Loom site. (As mentioned in Moonlock’s report on the AMOS stealer.)”

AMOS Can Manipulate Ledger Live Successfully, Could Also Do the Same to Other Wallet Apps

According to a review by the cybersecurity company, the malware appears capable of mimicking the functionality of Ledger Live – an application that enables users to initiate transactions from their hardware wallets. Although users’ private keys are not kept on Ledger Live, making it impossible for AMOS to obtain wallet credentials, Moonlock speculates that AMOS might alter the recipient addresses of transactions. This can be done without raising any suspicions, as everything displayed by the wallet app appears legitimate. Users would only realize their funds have been transferred to unintended addresses after the transactions are completed. It’s worth noting that Moonlock has detected AMOS targeting Ledger Live, but it may also possess the ability to replicate similar behavior with other popular wallets like MetaMask.

“According to Moonlock Lab’s findings, the latest iteration of AMOS possesses an unprecedented feature: it can swap a certain crypto wallet app with a counterfeit version and swiftly erase users’ digital wallets. This feature has not been observed in any previous versions of AMOS, marking a substantial advancement.”

In April 2023, a previous version of this malware was detected and revealed to be capable of stealing encrypted Keyvault files from users’ digital wallets. These stolen files could potentially allow cybercriminals to drain funds from the wallets of unsuspecting users. Approximately 50 different cryptocurrency wallet applications were found to be susceptible to this threat. Initially, Crazy Evil offered it for sale to criminals at $1,000 each, but Moonlock now estimates that the new version is being sold for around $3,000 on the black market.

 

Read More

2024-08-24 17:38