AMOS malware closes wallet apps and comes with crypto for you
The malware program “Atomic macOS” or “AMOS” now has a new ability to bypass wallet applications and steal cryptocurrency from users.
In the year According to an August 5 report from cyber security firm Moonlock Labs, the program is making a comeback as the company advertises through Google AdSense. In the ads, it impersonated popular macOS programs, including screen-sharing app Loom, user interface design tool Figma, VPN Tunnelblick, and instant messaging app Callzy. None of these application developers have released fake AMOS malware versions.
Moonlock researchers discovered the malware when they ran on a version that looked like Lum. When they clicked on the ad, it redirected them to smokecoffeeshop.com, which then redirected them back to a fake version of the Loom website.
The fake version looks just like the real one. However, a user of “ 「」「」」「」 「」「」」
AMOS is not a new program. Cybersecurity firm Sible reported its existence in April 2023. Sible said the program was being sold to cybercriminals on Telegram for a $1,000-a-month subscription service.
At the time, it was able to target more than 50 different crypto wallets, including Electrum, MetaMask, Coinbase, Binance, Exodus, Atomic, Coinomi and more. When the program finds one of these wallets on a user's computer, it steals the wallet's information, Sable says, indicating that the user's encrypted key vault file may have been hijacked by AMOS.
If the Key Vault file is stolen, the attacker can extract the user's wallet, especially if the victim used a weak password when first creating the wallet.
It looks like the Moonlock software has just been upgraded, as it's got a “fancy capable” version. AMOS can now “replace a specific crypto wallet app with a clone and easily wipe out victims' e-wallets.”
Specifically, it can block the Ledger Live software used by owners of Ledger hardware wallets. Munlock emphasized that this capability had “never been reported in an AMOS version before and represents a significant advance for the malicious program.”
Registry devices store their private keys on hardware devices that cannot be accessed by malware installed on a PC, and users must verify every transaction on the device. This makes it difficult for malware to steal cryptocurrency from ledger users. However, the attacker's intention in cloning Ledger Live may be to display misleading information on the user's screen, causing them to mistakenly send their crypto to the attacker.
Related: Ledger CTO warns crypto users about ‘blind signing' risk
Even more worrisome than its ability to block Ledger Live, the report suggests that future versions of the software may block other apps. This can include software wallets like MetaMask and Trust Wallet. “If this new version of AMOS replaces Ledger Live with a fake, malicious clone, it could do the same to other applications,” Moonlock pointed out.
Software wallets display all their information directly on the PC monitor, which makes misleading displays even more dangerous.
Moonlock claims to be the developer of Crazy Evil, who advertises the software on Telegram. The group has posted a recruitment ad claiming that AMOS software is capable of securing Ledger Live.
Users who run crypto wallet software on Mac should know that AMOS is targeting people like them. This malware is generally distributed through Google AdSense ads, so you may want to be very careful when you consider downloading software from a website that you get through a banner or ad. It looks like Loom, Callzy or another popular program but it is actually a copy of AMOS.
Magazine: Strange ‘null address' iVest hack, millions of PCs still vulnerable to ‘Sinkclose' malware: Crypto-Sec
If you doubt the website's authenticity, typing the program's name into a search engine and scrolling through organic results is sometimes an effective way to find the app's official website, as scammers often don't have a domain. Power to rank at the top of organic results for an app name.
Google uses filters to prevent malware programs from being introduced to the program, but they are not 100% effective.
Malware continues to be a serious threat to crypto users. In the year On August 16, cybersecurity firm Check Point Research discovered a similar “stealing” program that siphons cryptocurrency through a technique called “clipping.” On May 13, Kaspersky Labs discovered a malware called “Durian” used to attack crypto exchanges.
