JAKARTA - Kaspersky Threat Research has identified a new malware campaign that uses paid Google search ads and shared conversations on the official ChatGPT website.
During the campaign, the attacker bought sponsored search ads for queries such as "chatgpt atlas" and directed users to a page that looked like an installation guide for "ChatGPT Atlas for macOS" hosted on chatgpt.com.
In reality, the page is a ChatGPT conversation generated through prompt engineering and then sanitized so that only the step-by-step "installation" instructions are left.
The guide instructs users to copy a single line of code, open Terminal on macOS, paste the command, and grant all the permissions requested.
Kaspersky researchers' analysis shows that the command downloads and executes a script that asks the user to enter their system password and validates the password by trying to execute system commands.
Once the correct password is provided, the script downloads the AMOS infostealer, uses the credentials stolen to install it, and launches the malware.
The malware targets passwords, cookies, and other information from popular browsers, data from crypto asset wallets such as Electrum, Coinomi, and Exodus, as well as information from applications including Telegram Desktop and OpenVPN Connect.
He also searched for files with TXT, PDF, and DOCX extensions in the "Desktop", "Documents", and "Downloads" folders, as well as files stored by the "Notes" application, then exported this data to the attacker's controlled infrastructure.
In parallel, the attack installs a backdoor that is configured to run automatically on reboot, providing remote access to the compromised system, and duplicating most of the AMOS data collection logic.
The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)
