AMOS Malware Targets Mac Users by Cloning Wallet Apps

According to cybersecurity company Moonlock, the AMOS stealer targeting Mac users may now copy Ledger Live software and might copy additional wallet apps soon.

A new feature of the malware program “Atomic MacOS,” or “AMOS,” enables it to replicate wallet apps and steal cryptocurrency from victims.

A study published on August 5 by cybersecurity company Moonlock Lab claims that the scheme is seeing a rebirth after the company noticed it being promoted through Google AdSense. It pretended to be well-known MacOS apps in the ads, such as the instant messaging software Callzy, the VPN Tunnelblick, the screen-sharing app Loom, and the UI design tool Figma. None of the app developers approved the phony AMOS virus versions.

The Malware was found by Moonlock researchers when they came across a variant that claimed to be Loom. After clicking the advertising, they were taken to smokecoffeeshop.com, which took them to an impersonated version of the Loom website once more.

The counterfeit appeared precisely like the original. However, when a user clicked the “Get Loom for free” link, “a complex version of the AMOS stealer” was downloaded rather than the Genuine Loom software.

Program AMOS is not brand-new. As early as April 2023, cybersecurity company Cyble declared its existence. Cyble claimed that the application was being offered to hackers as a $1,000 monthly membership service on Telegram.

It could target more than fifty different cryptocurrency wallets at the time, including Electrum, MetaMask, Coinbase, Binance, Exodus, Atomic, Coinomi, and others. According to Cyble, if the application discovered any of these wallets on a user’s computer, it grabbed the wallet’s data, suggesting that AMOS most certainly stole the user’s encrypted key vault file.

An attacker can empty a user’s wallet to obtain a key vault file, mainly if the victim sets a weak password when opening their wallet account.

Moonlock stated that it discovered a version of the software that “has a novel capability,” suggesting that it has reportedly been modified. AMOS can “easily wipe out victims’ e-wallets and replace a specific crypto wallet app with a clone.”

It can precisely replicate the Ledger Live software used by users of Ledger hardware wallets. This feature “has never been reported in a version of AMOS before and represents a significant leap forward” for the malicious software, according to Moonlock.

Users must validate every transaction on the device, and ledger devices store their private keys on hardware protected from Malware installed on a PC. As a result, Malware finds it more challenging to steal cryptocurrency from Ledger users. However, by copying Ledger Live, the attacker might be hoping to trick the user into sending their cryptocurrency to them by showing false information on their screen.

The possibility that further iterations of the program can clone other programs is more concerning than the report’s description of Ledger Live cloning. Software wallets such as Trust Wallet and MetaMask may fall under this category. Moonlock hypothesized, “This new version of AMOS could replace other apps with a fake malicious clone, just like it can replace Ledger Live.”

Software wallets increase the danger of false presentations by displaying all their information immediately on the PC monitor.

Moonlock asserted that he had located the program’s creator, Crazy Evil, who promotes itself on Telegram. Allegedly, the group boasted in a job ad about how well the AMOS software replicated Ledger Live.

Users of Macs running cryptocurrency wallet software should be aware that AMOS is designed with them in mind. They should exercise extreme caution when deciding whether to download software from a website they identified through a banner or display ad, as this Malware is typically spread through Google Adsense adverts. It looks like Callzy, Loom, or some other well-known program, but it’s a clone of AMOS.

When in doubt about a website’s legitimacy, searching for the program’s name in a search engine and scrolling down to the organic results can occasionally be a helpful method of locating the official app website because scammers typically lack the domain authority necessary to appear high up in the organic results for app names.

Although they are not always successful, Google employs filters to try to stop malware programs from being promoted through their program.

Users of cryptocurrency are still seriously threatened by Malware. Cybersecurity company Check Point Research found a similar “stealer” malware on August 16 that used a technique known as “clipping” to drain cryptocurrency. Malware known as “Durian” was found by Kaspersky Labs on May 13 and was utilized to target cryptocurrency exchanges.