New Mac Stealer “AMOS” Poses as Loom Screen Recorder, Targets Crypto Wallets
A sophisticated cybercriminal operation, potentially linked to the mysterious threat group “Crazy Evil,” has set its sights on Mac users, leveraging the popularity of the screen recorder Loom to spread the notorious AMOS stealer. Moonlock Lab researchers have uncovered this alarming campaign, revealing how attackers are abusing Google Ads to lure unsuspecting victims to a meticulously crafted fake Loom website.
Last week, Moonlock Lab announced that a variant of the AMOS stealer is being distributed by a group potentially linked to Russia, named Crazy Evil. This group is running deceptive campaigns on Google Ads to redirect users to a fake Loom website hosted at smokecoffeeshop[.]com. This site mimics the legitimate Loom site almost perfectly, tricking users into downloading the malware.
When victims click on the fraudulent Google Ad, they are redirected to a fake Loom website. Any downloads from this site result in the installation of the AMOS stealer. The malware has evolved significantly since its initial appearance in 2021, being continuously updated and improved. This sophisticated piece of malware can extract sensitive information, steal browser data, and even empty cryptocurrency wallets.
One of the standout features of this new AMOS variant is its ability to clone legitimate apps. Moonlock Lab discovered that the malware can replace apps like Ledger Live, a popular crypto wallet app, with a malicious clone. This new capability represents a significant advancement in the malware’s functionality, allowing it to bypass Apple’s App Store security measures and directly compromise users’ devices.
The threat actors have also created fake versions of other popular applications, including Figma, TunnelBlick (VPN), and Callzy. Intriguingly, one of the fake applications, BlackDesertPersonalContractforYouTubepartners[.]dmg, targets the gaming community, referencing the MMORPG Black Desert Online. Gamers, often involved with digital assets and cryptocurrencies, are frequent targets of such cyber attacks.
The identity of the group behind this campaign, dubbed “Crazy Evil” by Moonlock Lab. They communicate and recruit via a Telegram bot, emphasizing the capabilities of the new AMOS stealer in their recruitment ads. The group’s operations have been linked to a high-malware association IP address (85[.]28[.]0[.]47), further connecting them to Russian cybercriminal activities.
To protect yourself from this emerging threat, follow these guidelines:
- Be Cautious with Downloads: Only download software from official websites or the Apple App Store. Avoid clicking on Google Ads for software downloads.
- Verify URLs: Double-check URLs to ensure you are visiting legitimate websites.
- Protect Your Gaming Accounts: Be wary of unsolicited messages offering rewards or new game trials. Report, block, and delete suspicious messages.
- Use Security Software: Employ reputable antivirus and anti-malware tools to detect and remove threats.