HN
Today

More Mac malware from Google search

Mac users are once again targeted by the AMOS stealer, distributed through deceptive Google search results, including sponsored Medium articles and even Google's own services. This persistent threat leverages social engineering to trick users into running malicious Terminal commands, effectively bypassing macOS security measures. The story sparks debate on Google's declining search quality, the double-edged sword of AI assistance, and the enduring challenge of user-induced security vulnerabilities.

59
Score
27
Comments
#2
Highest Rank
5h
on Front Page
First Seen
Feb 8, 10:00 PM
Last Seen
Feb 9, 2:00 AM
Rank Over Time
44423

The Lowdown

A new wave of the AMOS (SOMA) stealer is targeting macOS users, employing sophisticated social engineering tactics to exploit Google search results and trusted platforms. This malware campaign, similar to a previous attack facilitated by ChatGPT, delivers its payload by luring users into executing obfuscated commands in their Terminal.

  • Attack Vector: Malicious links appear in Google's sponsored results and even on docs.google.com and business.google.com, often pointing to compromised Medium articles or forged 'official' Apple support pages.
  • Deception: Users are prompted to paste seemingly innocuous but ultimately malicious curl commands into their Terminal, which then download and execute the AMOS stealer.
  • Malware Capabilities: The stealer collects user data, including the contents of the Documents folder, Notes, and alarmingly, plaintext passwords, writing hidden files like .agent (an AppleScript) and .mainHelper (Mach-O binary) to the user's Home folder.
  • Bypassing Security: macOS protections are circumvented because users are tricked into willingly performing the actions that grant the malware access.
  • User Advice: The author strongly recommends distrusting search results, especially sponsored ones, critically assessing URL provenance, and never blindly executing obfuscated Terminal commands without fully understanding their actions.

Ultimately, this campaign highlights how social engineering remains a potent threat, demonstrating that even robust operating system security can be nullified when users are manipulated into enabling malicious activities.

The Gossip

Mac Malware Musings

The discussion extensively covers macOS security, with some users asserting its inherent protections ('at least macos has file access permissions') while others question the ongoing 'myth' that Mac doesn't need antivirus. Many point out that user actions, such as granting 'Full Disk Access' to Terminal or pasting unknown commands, are the primary vectors that bypass macOS's safeguards. A few radical suggestions even ponder removing Terminal from general-purpose Macs, while others highlight the practical necessity of Terminal's permissions for normal developer workflows.

Search Engine Snafus & AI Alibis

Commenters widely lament the perceived decline in Google's search quality, contrasting it with a 'well functioning google' of 15 years ago. A contentious sub-theme emerges around the role of AI: some optimistically suggest AI answers could 'solve' the problem by providing vetted commands, while others quickly rebut, pointing out that LLMs derive information from the same untrustworthy internet sources and can even recommend downloading malicious software themselves.

Platform Predicaments

Specific platforms are called out for their role in facilitating these attacks. Medium is singled out as a problematic source, with one commenter declaring it a platform to 'avoid like cold grits.' The discussion also broadens to include GitHub, with a link provided to an article detailing how AI is being used to generate fake repositories for malicious purposes, underscoring a wider trust issue with user-generated content platforms.