🔥Early Access List: Land A High Paying Web3 Job In 90 Days LEARN MORE

New AMOS malware is cloning crypto wallet apps on Macs

573297
New AMOS malware is cloning crypto wallet apps on Macs

Contents

Share link:

In this post:

  • AMOS malware is back, this time pretending to be the Loom screen recorder app and targeting Macs to steal crypto wallets.
  • Cybercriminals are using fake Google Ads to trick people into downloading a malicious version of Loom that clones legit apps like Ledger Live.

So here we go again. The AMOS Mac malware is back in the game, and this time it’s wearing a new disguise. The sneaky psychos behind this attack have decided to impersonate Loom, the popular screen recording app with over 20 million users.

And guess what? They’re using Google Ads to pull in victims, making this operation look as legit as it gets. The plan? Get unsuspecting users to download a fake version of Loom from a phony website.

New AMOS malware is cloning crypto wallet apps on Macs
Images compare the original Loom site side by side with the malicious Loom site.

Researchers at Moonlock Lab report that this latest version is also cloning legitimate crypto wallet apps, like Ledger Live. Yup, the AMOS stealer is replacing these trusted apps with malicious clones.

Once on your Mac, it’s game over. Your crypto wallets, browser data, passwords—all up for grabs. The group behind this, possibly called “Crazy Evil,” seems well-organized and linked to Russian cybercriminal networks.

People would click on these ads, thinking they’re getting the real deal, and instead, they’d be redirected to some sketchy site called smokecoffeeshop[.]com. 

From there, things got weirder. Victims would end up on a website that looks exactly like Loom’s, but it’s a trap. A click on the download button, and boom—your Mac is now infected with the new AMOS stealer.

This is a polished product on the black market. Renting it out could cost up to $3,000 a month. And why so expensive? Because this thing does it all. It steals files, nabs browser history, grabs credentials, empties your crypto wallets—the whole nine yards. 

See also  Worldcoin aims for Facebook-like impact: CEO Alex Blania on global expansion strategies

This is top-shelf malware, folks.

They’ve cloned other apps too—Figma, TunnelBlick (a VPN), Callzy, and even a bizarre case called BlackDesertPersonalContractforYouTubepartners[.]dmg.

Moonlock found some clues linking Crazy Evil to this campaign on the dark web. They stumbled upon a recruitment ad looking for people to join a team using—you guessed it—the AMOS stealer. 

This ad even bragged about its ability to replace “Ledger” on macOS, confirming that the same AMOS version found in the wild was being pushed by these guys, impersonating Loom. 

Further digging revealed an IP address tied to this mess—85[.]28[.]0[.]47. When Moonlock ran this IP through VirusTotal, a site that checks for malware, it flagged 93 files as malicious. 

And get this—those files had connections to a Russian government entity. Coincidence? Maybe, but probably not.  The IP’s Internet Service Provider (ISP) was listed as Gorodskaya elektronnaya svyaz Ltd, aka Gesnet[.]ru, a Russian company. 

Gesnet seems to run a big network, but good luck finding any detailed info about them. The Russian ISP market is murky, to say the least, with strict laws that make transparency nearly impossible for outsiders.

For now, the best defense is a good offense. Stay vigilant, don’t click on shady ads, and for the love of crypto, keep an eye on your apps.

See also  Why has Trump Media taken a 69% plunge

Share link:

Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.

Most read

Loading Most Read articles...

Stay on top of crypto news, get daily updates in your inbox

Related News

ETF bloodbath! Bitcoin lost $706M in a week, Ether drained by $91M
Cryptopolitan
Subscribe to CryptoPolitan

Interested in launching your Web3 career and landing a high-paying job in 90 days?

Leading industry experts show you how with this bran new course: Crypto Career Launchpad

Join the early access list below and be the first to know when the course opens its doors. You’ll also save $100’s off the regular launch price.