AI Poisoning & AMOS Stealer How Trust Became the Biggest Mac Threat Huntress

MITRE Techniques

• [T1598.004 ] Search Engine Optimization (SEO) – Attackers poisoned search results so malicious AI conversations appeared as top answers (‘Google surfaced two highly ranked results … one directing the end user to a ChatGPT conversation and the other to a Grok conversation’).
• [T1204 ] User Execution – Victims were socially engineered to copy-paste and execute a Terminal command from a trusted AI conversation (‘the victim … executed the provided command’).
• [T1059.004 ] Unix Shell – The initial one-liner used base64 decoding, curl, and bash to fetch and run the first-stage loader (‘the base64-encoded string in the Terminal command decoded to a URL hosting a malicious bash script’).
• [T1059.005 ] AppleScript – An AppleScript-based loader/watchdog (.agent, update) was used to relaunch the payload in the user GUI session and persist execution (‘an AppleScript called ‘update’ … the .agent file … an AppleScript-based watchdog loop’).
• [T1543 ] Create or Modify System Process – The malware installed a LaunchDaemon to achieve persistence across reboots (‘/Library/LaunchDaemons/com.finder.helper.plist’ that runs the .agent script every reboot’).
• [T1497 ] Virtualization/Sandbox Evasion – The loader included anti-VM logic to avoid executing inside virtualized environments (‘it will verify that it is not running in a virtual machine and instead will run anti-VM logic’).
• [T1033 ] System Owner/User Discovery – The watchdog loop queries /dev/console to determine which GUI user is logged in and relaunch the payload under that user (‘Every second, the script checks which user is currently logged into the GUI session by querying /dev/console’).
• [T1056 ] Input Capture – The loader solicited the user’s “System Password” via a fake prompt and captured it to /tmp/.pass for later use (‘the loader … requests the user’s credentials by simply asking for the “System Password” … the script writes it in plaintext to a hidden file in the /tmp directory, called /tmp/.pass’).
• [T1041 ] Exfiltration Over C2 Channel – Harvested data was packaged (e.g., /tmp/out.zip) and transmitted to attacker-controlled servers/C2 (‘After collecting all the data, the attacker will stage the data in /tmp/out.zip before exfiltrating it to their C2 server’).