Lumma and Amos cryptographic malware has been recently distributed via Reddit posts. These posts target Windows and Mac users in the crypto space.
Posts like this use a variety of tactics to trick users into downloading infected software. However, one lure is becoming particularly common. This is a cracked version of TradingView.
These scammers have been hiding in crypto-related subreddits recently. According to their posts, the so-called cracked version of TradingView is completely free and cracked directly from the official version. Scammers claim to unlock premium features such as stocks, forex, crypto and advanced charting tools for commodities.
MalwareBytes noted that both Windows and MAC files from the infected software were rezipped. This is unusual as the final zip file is password protected, but legal executables are not compressed like that.
According to MalwareBytes, on Mac, user data is extracted via POST requests to a server hosted by Seychelles (45.140.13.244).
The Mac installer features a new AMOS variant. It’s a popular stolen on MacOS and checks for the existence of virtual machines. If detected, the program exists with an error code 42.
The Windows version loads the payload via an obfuscated BAT file that runs malicious scripts. MalwareBytes has linked the Windows version to the “Cousidporke (.) ICU” of the host that registered its Windows version in Russia a week ago.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
