Amos and Lumma crypto malware are being distributed via posts on Reddit. These malware, that steals digital assets, are being deployed to target Windows and Mac users in the crypto space.
An example of such posts will require users to download certain software. These downloads are usually embedded with the Amos and Lumma crypto malware. According to reports, the trending source of sharing the malware is the cracked version of the TradingView application.
Scammers share Amos and Lumma malware on Reddit
These scammers have recently been lurking on crypto-related subreddits. According to their posts, the so-called cracked version of TradingView is free, and it has been cracked directly from an official version. The scammers claim that it would unlock premium features such as advanced charting tools for stocks, forex, crypto, and commodities.
According to Malwarebytes, both Windows and Mac files of the infected software are double-zipped. The final zip file is password-protected, which is unusual, as legitimate executable files are not compressed like that.
In the post by Malwarebytes, user data on Mac gets exfiltrated through a POST request to a server (45.140.13.244) hosted in Seychelles. The Mac installer features a newer AMOS variant. It is a popular stealer for macOS, and it checks the presence of a virtual machine. If detected, the program exits with error code 42.
The Windows version loads the payload through an obfuscated bat file that runs a malicious script. Malwarebytes linked the Windows version to a host ‘cousidporke[.]icu’ registered in Russia a week ago.