Hackers abuse Google advertisements, Claude.ai chats to push Mac malware

Attackers are abusing Google Commercials and legit Claude.ai shared chats in an lively malvertising marketing campaign.

Customers looking for “Claude mac obtain” might come throughout subsidized seek effects that listing claude.ai as the objective web page, however result in directions that set up malware on their Mac.

Shared Claude Chats weaponized to focus on macOS customers

The marketing campaign used to be noticed via Berk Albayrak, a safety engineer at Trendyol Crew, who shared his findings on LinkedIn.

Albayrak recognized a Claude.ai shared chat that gifts itself as an reputable “Claude Code on Mac” set up information, attributed to “Apple Enhance.”

The chat walks customers thru opening Terminal and pasting a command, which silently downloads and runs malware on their Mac.

Whilst making an attempt to make sure Albayrak’s findings, BleepingComputer landed on a moment shared Claude chat sporting out the similar assault thru completely separate infrastructure.

The 2 chats apply an an identical construction and social engineering method however use other domain names and payloads. Each chats had been publicly obtainable on the time of writing:

What does the macOS malware do?

The base64 directions proven within the shared Claude chat obtain an encoded shell script from domain names reminiscent of:

• In variant observed via Albayrak [VirusTotal]: hxxp://customroofingcontractors[.]com/curl/b42a0ed9d1ecb72e42d6034502c304845d98805481d99cea4e259359f9ab206e
• In variant observed via BleepingComputer [VirusTotal]: hxxps://bernasibutuwqu2[.]com/debug/loader.sh?construct=a39427f9d5bfda11277f1a58c89b7c2d

The ‘loader.sh’ (served via the second one hyperlink above) is every other set of Gunzip-compressed shell directions:

This compressed shell script runs completely in reminiscence, leaving little glaring hint on disk.

BleepingComputer noticed the server serving a uniquely obfuscated model of the payload on every request (one way referred to as polymorphic supply), making it more difficult for safety equipment to flag the obtain in keeping with a recognized hash or signature.

The variant BleepingComputer recognized begins via checking whether or not the gadget has Russian or CIS-region keyboard enter assets configured. If it does, the script exits with out doing the rest, sending a quiet cis_blocked standing ping to the attacker’s server on its means out. Most effective machines that go this take a look at get the following level:

Ahead of continuing additional, the script additionally collects the sufferer’s exterior IP deal with, hostname, OS model, and keyboard locale, sending it all again to the attacker. This type of sufferer profiling earlier than payload supply suggests the operators are being selective about who they aim.

The script then pulls down a second-stage payload and runs it thru osascript, macOS’s integrated scripting engine. This provides the attacker far flung code execution with out ever losing a conventional utility or binary.

The variant recognized via Albayrak, on the other hand, seems to skip the profiling steps. It is going instantly to execution.

It harvests browser credentials, cookies, and macOS Keychain contents, programs them up, and exfiltrates them to the attacker’s server. Albayrak recognized this as a variant of the MacSync macOS infostealer:

The briskinternet[.]com area proven above within the variant recognized via Albayrak gave the look to be down on the time of writing.

When the valid URL is the risk

Malvertising has turn out to be a ordinary supply mechanism for malware.

BleepingComputer has up to now reported on identical campaigns focused on customers looking for device like GIMP, the place a powerful Google advert would listing a legitimate-looking area however take guests to a lookalike phishing website online as an alternative.

This marketing campaign flips that, as there is not any faux area to identify.

Each Google advertisements observed right here level to Anthropic’s actual area, claude.ai, since the attackers are web hosting their malicious directions inside of Claude’s personal shared chat characteristic. The vacation spot URL within the advert is authentic.

It’s not, on the other hand, the primary time that attackers have abused AI platform shared chats this manner. In December, BleepingComputer reported a identical marketing campaign focused on ChatGPT and Grok customers.

Customers will have to navigate without delay to claude.ai for downloading the local Claude app, reasonably than clicking subsidized seek effects. The valid Claude Code CLI is to be had thru Anthropic’s reputable documentation and does no longer require pasting instructions from a talk interface.

It’s excellent follow to normally deal with any directions asking you to stick terminal instructions with warning, irrespective of the place the ones directions seem to come back from.

BleepingComputer reached out to Anthropic and Google for remark previous to publishing.