Recent research from Moonlock Lab has unveiled a sophisticated cybercriminal operation, potentially connected to a group dubbed “Crazy Evil,” that is honing in on Mac users. This operation exploits the popularity of the screen recording tool Loom as a vector for distributing the advanced AMOS stealer malware.
Attackers are utilizing Google Ads to deceive unsuspecting individuals, directing them to a meticulously designed counterfeit Loom website hosted at smokecoffeeshop[.]com. This site closely resembles the true Loom platform, creating a plausible façade for users to unwittingly download the malicious software. Once downloaded, the AMOS stealer installs itself on the victim’s device, leading to significant risks, including the extraction of sensitive data and theft of browser information and cryptocurrency assets.
The AMOS stealer has evolved dramatically since its original emergence in 2021, enhancing its capabilities to deliver increasingly sophisticated attacks. A notable advancement in this variant includes its ability to replicate legitimate applications, such as Ledger Live, a popular cryptocurrency wallet, thereby circumventing Apple’s App Store security protocols. In addition to targeting well-known applications, the threat actors have created fake versions of software like Figma, TunnelBlick, and Callzy, with a specific focus on the gaming community. For instance, one variant named BlackDesertPersonalContractforYouTubepartners[.]dmg targets players of the MMORPG Black Desert Online, often appealing to those involved in digital assets.
The group, believed to operate from Russia, engages potential recruits through a Telegram bot, highlighting the capabilities of their AMOS stealer in their recruitment campaigns. Cybersecurity analysts have also linked the group’s operations to a high-malware association IP address (85[.]28[.]0[.]47), further underscoring the serious nature of this threat.
In response to this alarming development, users must exercise caution when downloading software, sticking strictly to official channels. Verifying URLs, protecting gaming accounts, and employing robust security software are critical measures to mitigate the risk posed by this malicious operation.
