- 861
- 237
Distributors of the macOS stealer AMOS are mastering a new ClickFix scheme: they post malicious instructions on the websites ChatGPT and Grok, share their chats, and promote them to the top of Google search results by paying for advertising.
This new malicious campaign was simultaneously discovered by Kaspersky Lab and Huntress experts . The ClickFix
attack begins with a sponsored link given to a macOS user searching for helpful tips, troubleshooting, or installation recommendations for the OpenAI Atlas browser. Clicking the malicious link opens a page on the official ChatGPT (or Grok) website with instructions—a message from an AI bot, shared via the "Share Chat" option, triggered by the attackers' cleverly crafted queries. The user is prompted to launch a terminal on their computer and then copy-paste the code to execute the command. Notably, the chatbot itself will confirm the danger of such a step if asked whether it should follow the instructions. Otherwise, a batch file will be downloaded to the computer from a third-party source. This batch file will display a dialog box asking for a password to log in. Once it has obtained the password, it will download and launch AMOS . This well-known Trojan is designed to steal data from browsers, cryptocurrency wallets, macOS Keychain, and files saved to disk. Recently, the malware has learned to gain remote access to the infected system by installing a backdoor and ensuring it runs automatically on every OS boot. @ Anti-Malware
This new malicious campaign was simultaneously discovered by Kaspersky Lab and Huntress experts . The ClickFix
attack begins with a sponsored link given to a macOS user searching for helpful tips, troubleshooting, or installation recommendations for the OpenAI Atlas browser. Clicking the malicious link opens a page on the official ChatGPT (or Grok) website with instructions—a message from an AI bot, shared via the "Share Chat" option, triggered by the attackers' cleverly crafted queries. The user is prompted to launch a terminal on their computer and then copy-paste the code to execute the command. Notably, the chatbot itself will confirm the danger of such a step if asked whether it should follow the instructions. Otherwise, a batch file will be downloaded to the computer from a third-party source. This batch file will display a dialog box asking for a password to log in. Once it has obtained the password, it will download and launch AMOS . This well-known Trojan is designed to steal data from browsers, cryptocurrency wallets, macOS Keychain, and files saved to disk. Recently, the malware has learned to gain remote access to the infected system by installing a backdoor and ensuring it runs automatically on every OS boot. @ Anti-Malware