Security researchers report that operators of the atomic MacOS stealer (amos) are abusing paid Google search ads and pre-seeded conversations in popular AI chatbots to deliver MacOS malware.
Users searching for help freeing disk space on Mac computers are shown sponsored links leading to chatbot conversations that provide fake troubleshooting steps.
The instructions tell users to open the MacOS terminal and paste in a command that silently downloads and is run by an amos infostealer, which then seeks extensive permissions but can exfiltrate passwords, browser data, cryptocurrency information, and other sensitive resources while avoiding some built-in security warnings.
The scheme mimics earlier "clickfix" social engineering attacks but now adds trusted AI tools and search platforms to create realistic appearances for the malicious advice.
Source: https://www.kaspersky.com/blog/fake-ai-agents-infostealers/55412/
Commentary
In the above source, attackers make the trusted search platforms and mainstream AI assistants look convincing enough that Mac users will self-install credential stealing malware.
For organizations that utilize Macs, or your employees who use Macs for business purposes, this extends the scope of malicious downloads to any workflow when your employees interact with an external site or work online via ai tools or on a computer from which they receive technical support.
Here are some loss prevention and best practice tips for organizations to follow:
• Implement macos endpoint protection with behavioral detection tuned for infostealers, unauthorized keychain access, abnormal browser data exports and unexpected network exfiltration to command-and-control servers.
• Concentrate on browsers and search settings; limiting or tracking access to sponsored results and potentially harmful categories such as "system cleaners," "free disk utilities," and unauthorized AI apps.
• Introduce security awareness micro training that includes fake troubleshooting pages, clickfix style prompts, and AI generated responses that instruct users to disable protections or run obscure shell commands.
• Limit the extent of AI tool use that employees can get with corporate devices, and define only authorized internal documentation or service channels for system level fixes.
The final takeaway is that you want to make sure that you use both proper technical controls, and training on AI-related social engineering to not have your employees be unintentional installers of infostealer malware on organization/personal devices.
