Malware program “Atomic MacOS” or “AMOS” now has a new capability that allows it to clone wallet apps and steal cryptocurrency from users.

According to an Aug. 5 report from cybersecurity firm Moonlock Lab, the program is experiencing a resurgence, as the firm spotted it being advertised through Google Adsense. In the advertisements, it masqueraded as popular MacOS programs, including screen sharing app Loom, user interface design tool Figma, VPN TunnelBlick, and instant messaging app Callzy. None of the developers of these apps authorized the fake AMOS malware versions.

Moonlock researchers discovered the malware when they ran across a version that pretended to be Loom. When they clicked the advertisement, it redirected them to smokecoffeeshop.com, which then redirected them again to a fake version of the Loom website. 

The fake version looked exactly like the real one. However, when a user clicked the “Get Loom for free” button, instead of downloading the Legitimate Loom program, it downloaded “a complex version of the AMOS stealer.”

Comparison between real (left) and fake (right) version of Loom website. Source: Moonlock Lab.

AMOS is not a new program. Cybersecurity firm Cyble reported its existence as early as April 2023. According to Cyble, the program was being sold to cyber criminals on Telegram as a subscription service for $1,000 per month. 

At the time, it was capable of targeting over 50 different crypto wallets, including Electrum, MetaMask, Coinbase, Binance, Exodus, Atomic, Coinomi and others. When the program found any of these wallets on a user’s computer, it stole the wallet’s data, Cyble claimed, implying that the user’s encrypted keyvault file was likely snatched by AMOS.

AMOS targeting crypto wallets. Source: Cyble Research and Intelligence Labs

If a keyvault file is stolen, the attacker can drain the user’s wallet, especially if the victim used a weak password when they first created their wallet account.

Moonlock claimed that the software has now apparently been upgraded, as they found a version that “has a novel capability.” AMOS can now “replace a specific crypto wallet app with a clone and easily wipe out victims’ e-wallets.”

Specifically, it can clone the Ledger Live software used by Ledger hardware wallet owners. Moonlock emphasized that this capability “has never been reported in a version of AMOS before and represents a significant leap forward” for the malicious program.

Ledger devices store their private keys on hardware devices, out of the reach of malware installed on a PC, and users have to confirm each transaction on the device. This makes it difficult for malware to steal crypto from Ledger users. However, the attacker's intention in cloning Ledger Live may be to display deceptive information on the user’s screen, causing them to mistakenly send their crypto to the attacker.

Related: Ledger CTO warns crypto users about the dangers of 'blind signing'

Even more troubling than the ability to clone Ledger Live, the report notes that future versions of the software may be able to clone other apps. This could potentially include software wallets like MetaMask and Trust Wallet. “If this new version of AMOS can replace Ledger Live with a fake malicious clone,” Moonlock suggested, “it could do the same with other apps.”

Software wallets display all their information directly on the PC monitor, making deceptive displays even more dangerous.

Moonlock claimed to have traced the software to a developer called “Crazy Evil,” which advertises itself on Telegram. The group allegedly posted a recruitment ad boasting of the AMOS software’s ability to clone Ledger Live.

Users who run crypto wallet software on a Mac should be aware that AMOS is specifically targeting people like them. This malware is generally distributed through Google Adsense ads, so they may want to be extremely careful when considering whether to download software from a website they found through a banner or display ad. It may appear to be Loom, Callzy, or another popular program, but in fact is a copy of AMOS.

Magazine: Weird ‘null address’ iVest hack, millions of PCs still vulnerable to ‘Sinkclose’ malware: Crypto-Sec

If in doubt about the authenticity of a website, typing the name of the program into a search engine and scrolling down to the organic results is sometimes an effective way of finding the official website for an app, as scammers usually don’t have the domain authority to rank at the top of organic results for an app’s name.

Google uses filters in an attempt to prevent malware programs from being advertised through their program, but these filters are not 100% effective.

Malware continues to be a serious threat to crypto users. On Aug. 16, cybersecurity firm Check Point Research discovered a similar “stealer” program that drained crypto through a method called “clipping.” On May 13, Kaspersky Labs discovered malware called “Durian” that was used to attack crypto exchanges .