Cybersecurity analyst José A. Gómez Ledesma of the Quetzal Team identified a new phishing campaign targeting developers and influencers in the crypto industry. The attackers are impersonating the hosts and producers of the popular Web3 podcast Empire. The criminals reach out to potential victims through social media DMs, offering fake interviews to discuss their recent projects and market forecasts.
Once a victim engages, the attackers send them a link to a fraudulent website that mimics a legitimate platform like Streamyard or Huddle, supposedly for the interview. When a user visits the site, an error message appears, claiming there’s a problem and that the user needs to download a desktop client to proceed.
The link downloads a malicious DMG file, which is a macOS application installation disk, disguised as either Huddle or Streamyard. Unwittingly, victims install this file, infecting their Mac computers with AMOS (Atomic macOS) Stealer, a type of information-stealing malware. The malware has been seen before, often disguised as popular apps to trick users into downloading it.
The infection process is complex and begins with the DMG installer. The installer runs a highly obfuscated Bash script, which is then deobfuscated and re-obfuscated several times using different techniques before it generates and executes an AppleScript. The AppleScript then locates and runs a hidden binary file on the user’s computer, which is the AMOS Stealer malware.
When a computer is infected with an information stealer like AMOS, the user’s digital life is exposed to cybercriminals. The malware can steal a wide range of sensitive data, including login credentials and cookies from banking and gaming accounts. This stolen information is then sold on the dark web, often for a surprisingly low price. This new campaign is a good reminder to be cautious when dealing with strangers online and to avoid downloading files from untrusted sources.
Reference:
