Subscribe for notification
Business

AMOS Malware Targets Mac Users by Cloning Wallet Apps

According to cybersecurity company Moonlock, the AMOS stealer targeting Mac users may now copy Ledger Live software and might copy additional wallet apps soon.

A new feature of the malware program “Atomic MacOS,” or “AMOS,” enables it to replicate wallet apps and steal cryptocurrency from victims.

A study published on August 5 by cybersecurity company Moonlock Lab claims that the scheme is seeing a rebirth after the company noticed it being promoted through Google AdSense. It pretended to be well-known MacOS apps in the ads, such as the instant messaging software Callzy, the VPN Tunnelblick, the screen-sharing app Loom, and the UI design tool Figma. None of the app developers approved the phony AMOS virus versions.

The Malware was found by Moonlock researchers when they came across a variant that claimed to be Loom. After clicking the advertising, they were taken to smokecoffeeshop.com, which took them to an impersonated version of the Loom website once more.

The counterfeit appeared precisely like the original. However, when a user clicked the “Get Loom for free” link, “a complex version of the AMOS stealer” was downloaded rather than the Genuine Loom software.

Comparison between real (left) and fake (right) version of Loom website. Source: Moonlock Lab

Program AMOS is not brand-new. As early as April 2023, cybersecurity company Cyble declared its existence. Cyble claimed that the application was being offered to hackers as a $1,000 monthly membership service on Telegram.

It could target more than fifty different cryptocurrency wallets at the time, including Electrum, MetaMask, Coinbase, Binance, Exodus, Atomic, Coinomi, and others. According to Cyble, if the application discovered any of these wallets on a user’s computer, it grabbed the wallet’s data, suggesting that AMOS most certainly stole the user’s encrypted key vault file.

AMOS targeting crypto wallets. Source: Cyble Research and Intelligence Labs

An attacker can empty a user’s wallet to obtain a key vault file, mainly if the victim sets a weak password when opening their wallet account.

Moonlock stated that it discovered a version of the software that “has a novel capability,” suggesting that it has reportedly been modified. AMOS can “easily wipe out victims’ e-wallets and replace a specific crypto wallet app with a clone.”

It can precisely replicate the Ledger Live software used by users of Ledger hardware wallets. This feature “has never been reported in a version of AMOS before and represents a significant leap forward” for the malicious software, according to Moonlock.

Users must validate every transaction on the device, and ledger devices store their private keys on hardware protected from Malware installed on a PC. As a result, Malware finds it more challenging to steal cryptocurrency from Ledger users. However, by copying Ledger Live, the attacker might be hoping to trick the user into sending their cryptocurrency to them by showing false information on their screen.

The possibility that further iterations of the program can clone other programs is more concerning than the report’s description of Ledger Live cloning. Software wallets such as Trust Wallet and MetaMask may fall under this category. Moonlock hypothesized, “This new version of AMOS could replace other apps with a fake malicious clone, just like it can replace Ledger Live.”

Software wallets increase the danger of false presentations by displaying all their information immediately on the PC monitor.

Moonlock asserted that he had located the program’s creator, Crazy Evil, who promotes itself on Telegram. Allegedly, the group boasted in a job ad about how well the AMOS software replicated Ledger Live.

Users of Macs running cryptocurrency wallet software should be aware that AMOS is designed with them in mind. They should exercise extreme caution when deciding whether to download software from a website they identified through a banner or display ad, as this Malware is typically spread through Google Adsense adverts. It looks like Callzy, Loom, or some other well-known program, but it’s a clone of AMOS.

When in doubt about a website’s legitimacy, searching for the program’s name in a search engine and scrolling down to the organic results can occasionally be a helpful method of locating the official app website because scammers typically lack the domain authority necessary to appear high up in the organic results for app names.

Although they are not always successful, Google employs filters to try to stop malware programs from being promoted through their program.

Users of cryptocurrency are still seriously threatened by Malware. Cybersecurity company Check Point Research found a similar “stealer” malware on August 16 that used a technique known as “clipping” to drain cryptocurrency. Malware known as “Durian” was found by Kaspersky Labs on May 13 and was utilized to target cryptocurrency exchanges.

Ruth Okarter

Ruth is a seasoned news reporter and editor who brings her sharp eye and passion for storytelling to Protechbro.com. With a background in English and literary studies, Ruth crafts compelling narratives that unpack the complexities of the ever-evolving tech landscape.

Disqus Comments Loading...

Recent Posts

Crypto Companies Could See More US Listings if Trump Wins

According to a research report from HTX Ventures, the trend of crypto companies departing the United States could be halted,…

17 hours ago

Metaplanet Joins Global Equity Index

Metaplanet Inc., a Japanese investment firm, has been admitted to the CoinShares Blockchain Global Equity Index (BLOCK Index). Prominent publicly…

17 hours ago

Major South Korean Banks Join CBDC Pilot

The central bank's CBDC pilot, which is rapidly expanding, has attracted the participation of numerous prominent South Korean banks and…

18 hours ago

BTC Plummets, Mt.Gox Sends $2.2B in Bitcoin to 2 Wallet

After first going to a Mt.Gox cold wallet, most of that stash—nearly 30,400 bitcoin BTC—was sent to "1FG2C…Rveoy," and 2,000…

21 hours ago

Firms Unveil Global Dollar Stablecoin Network

Major banking firms launched the Global Dollar Network, a regulated platform designed to accelerate stablecoin adoption worldwide. Crypto and traditional…

21 hours ago

Sky Co-Founder Proposes No New Token Emissions

Rune Christensen, co-founder of Sky (formerly MakerDAO), proposes a strictly deflationary model to stop token emissions, in line with MakerDAO’s…

1 day ago