A new AMOS Mac stealer variant is circulating, distributed via a fake Loom website hosted on Google Ads, which, potentially linked to the Crazy Evil threat group, redirects users to a fraudulent download page disguised as the legitimate Loom platform.
Once executed, the advanced AMOS stealer exfiltrates sensitive data, including browser information, credentials, and cryptocurrency wallet contents, which are available for rent on the dark web, demonstrating the escalating sophistication and profitability of cybercrime.
The real Loom site is to the left, and the malicious, fake Loom site is on the right. A new AMOS variant introduces a sophisticated app cloning capability, enabling it to replace legitimate applications like Ledger Live with malicious clones.
By masquerading as trusted apps, the malware can surreptitiously steal cryptocurrency, NFTs, and DeFi assets, posing a significant threat to Apple users who rely on these platforms.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
It has been capable of replacing legitimate apps like Ledger Live with malicious clones, which were discovered, and involves creating fake versions of popular applications such as Figma, TunnelBlick, and Callzy.
By circumventing Apple’s App Store security, these cloned apps pose a significant threat, as they are installed directly onto compromised devices, potentially enabling data theft and other malicious activities.
Cybercriminals frequently target gamers, particularly younger individuals, due to their affinity for digital assets. A common tactic involves disseminating fraudulent job postings or recruitment ads on gaming platforms.
These deceptive offers, often accompanied by promises of fake rewards, exploit social engineering to manipulate victims into compromising their systems or divulging sensitive information.
The discovery of a .dmg file linked to Black Desert Online, a popular MMORPG, reinforces this trend, highlighting the gaming community as a prime target for malicious actors.
Moonlock Lab identified a newly discovered cybercriminal group, Crazy Evil, operating a Telegram channel to recruit members, which is distributing a modified AMOS stealer capable of targeting macOS Ledger wallets.
Researchers linked Crazy Evil to a recent campaign through darknet analysis of a recruitment ad promoting the same stealer variant, while the group’s identity remains unclear, with potential ties to an existing organization or the possibility of being a completely new entity.
Analysis of the fake Loom threat uncovered an IP address of 85.28.0.47 with strong malware ties. VirusTotal flagged 93 files associated with this IP as malicious, linking it to a Russian government entity, which belongs to Gesnet.ru, a Russian ISP, suggesting a potential network-wide compromise.
![Gesnet[.]ru](https://lh7-rt.googleusercontent.com/docsz/AD_4nXeU0j8DP03gYwAZ7nltqJD-BMswPUxtZzS1cjTCunkn_lCGudlh1DlipWKKSVkjhhUX0A3wU9Z89miPImTZFLpvDd8cbxICxLoYwfBR0Ba6rhOd2-9HkJ_24MfCX4zOzuj42z1hb3DUPV1jsMMxrsjKNHhQ?key=rt2lDRkBy584Quxke-3SiA)
Gesnet.ru, a Russian ISP with a large network infrastructure, is under scrutiny for potentially providing internet access to malicious actors.
While the company itself may be unaware of any wrongdoing, its characteristics raise concerns: it’s Russia-based with limited public information regarding ownership, finances, and services beyond basic internet connectivity.
The strict laws of Russia further exacerbate this lack of transparency, making it challenging for outsiders to comprehend the inner workings of the ISP market, which is unofficially under government influence.
The AMOS stealer, a sophisticated Mac malware, is actively exploiting vulnerabilities to steal sensitive data, which is distributed through disguised applications and malicious advertisements.
To mitigate risks, exercise extreme caution when downloading software, strictly adhere to official app stores, and maintain vigilance within online gaming communities.
Given the malware’s adaptability, continuous awareness and proactive security measures are essential to protect against future iterations of AMOS.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access