Threat actors have been leveraging Reddit to spread malicious software, specifically targeting cryptocurrency enthusiasts with AMOS and Lumma stealers.
These malware families are distributed through posts on the official Reddit platform, often disguised as cracked versions of the popular trading platform TradingView.
The scammers claim that these versions offer premium features for free, enticing users to download the compromised software.
Malware Distribution Tactics
The malicious files are hosted on a website belonging to a Dubai-based cleaning company, which is unusual compared to typical malware distribution methods that often use services like Mega.
According to MalwareBytes Report, this choice may allow the attackers to maintain control over the server and update their malware directly.
Both Windows and Mac versions of the malware are double zipped, with the final zip being password protected a common tactic to evade security scanners.
Legitimate software is rarely distributed in such a manner, raising red flags for potential users.
On Mac systems, the malware is a variant of the AMOS stealer, which checks for virtual machines and exits if detected.
It exfiltrates user data via a POST request to a server hosted in the Seychelles. For Windows, the payload involves an obfuscated batch file that runs a malicious Autoit script.
The command and control server for the Windows malware is registered in Russia.
Impact and Safety Measures
Victims of these scams have reported significant financial losses, including emptied cryptocurrency wallets.
The attackers also impersonate victims by sending phishing links to their contacts.
To stay safe, users should be cautious of files hosted on dubious platforms, avoid disabling security software, and be wary of password-protected files.
Despite these warnings, falling for such scams remains a risk, especially if recommendations come from trusted sources.
Utilizing robust cybersecurity tools like Malwarebytes can help protect against these threats by detecting and removing both Mac and Windows payloads.
