Warning: AMOS and Lumma Stealers Targeting Reddit Crypto Enthusiasts

TL;DR

AMOS and Lumma stealers are actively spreading on Reddit, targeting cryptocurrency traders with malicious software disguised as cracked versions of TradingView. These malware variants steal personal data and compromise crypto wallets. Stay vigilant and avoid downloading software from untrusted sources.

AMOS and Lumma Stealers Actively Spreading on Reddit

Cybersecurity experts have issued a warning about the distribution of AMOS and Lumma stealers through Reddit, specifically targeting users engaged in cryptocurrency trading. These malicious programs are disguised as cracked versions of popular trading platforms like TradingView, luring unsuspecting victims into downloading and installing them.

Reddit Posts Targeting Crypto Enthusiasts

Scammers are infiltrating subreddits frequented by cryptocurrency traders, offering free access to TradingView, a web-based platform providing charting tools for analyzing financial markets. The posts claim that the software is completely free and includes premium features, enticing users to download the malicious installers.

Despite warnings about the risks of installing these files, comments from the original poster (OP) downplay the threat, with remarks like “a real virus on a Mac would be wild.”

Downloads Hosted on Unrelated Websites

Upon investigating the links provided in the Reddit posts, it was discovered that the files are hosted on a website belonging to a Dubai cleaning company. This unusual choice of hosting suggests that the scammers may prefer having direct control over the server to update their malicious code easily.

The website leaks its PHP version (7.3.33), which reached its end of life in December 2021 and no longer receives security updates, making it vulnerable to exploitation.

Double-Zipped Malware

Both Mac and Windows installers are double-zipped, with the final zip file being password-protected. This distribution method is uncommon for legitimate software, raising red flags about the files’ authenticity.

Mac Installer: AMOS Stealer

On Mac, the installer is a new variant of AMOS, a popular macOS stealer. This version checks for virtual machines and exits with an error code if detected, making it difficult to analyze in a controlled environment.

osascript -e "set memData to do shell script \"system_profiler SPMemoryDataType\"
if memData contains \"QEMU\" or memData contains \"VMware\" then
    do shell script \"exit 42\"
else
    do shell script \"exit 0\"
end if"

Analysis of the script reveals that it exfiltrates user data via a POST request to a server hosted in the Seychelles.

Windows Installer: Lumma Stealer

On Windows, the payload is delivered through an obfuscated batch file (Costs.tiff.bat) that runs a malicious Autoit script (Sad .com).

"C:\Windows\system32\cmd.exe" /c expand Costs.tiff Costs.tiff.bat & Costs.tiff.bat
cmd /c copy /b 701617\Sad.com + Io + Thin + Experiment + Detect + Subsection + Meter + Well + Walls + Substantially + Mcdonald 701617\Sad.com

The command and control server for this malware is cousidporke[.]icu, registered recently by an individual in Russia.

Consequences and Protection

Victims of these stealers have reported having their crypto wallets emptied and their contacts receiving phishing links from impersonated accounts. To stay safe, be cautious of the following:

• Disable Security Software: Be wary of instructions to disable security software to run a program.
• Password-Protected Files: Avoid downloading files that are password-protected, as this is a common tactic to evade security scanners.
• Dubious Hosting Platforms: Be cautious of files hosted on dubious or unrelated platforms.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

For more details, visit the full article: Malwarebytes Blog

Additional Resources

For further insights, check:

• Malwarebytes Premium
• TradingView Official Website