ClickFix Campaign Targets macOS Users with Infostealer Tactics
The Netskope Threat Labs recently detailed the ClickFix campaign, which now targets both Windows and macOS systems. This particular analysis focuses on the dissemination of an AppleScript-based infostealer designed to capture sensitive information from macOS users.
The AppleScript infostealer specifically targets crucial data, including login credentials, Keychain databases, and live session cookies from various browsers and cryptocurrency wallets. A notable feature of the malware is its use of a deceptive dialog box that mimics legitimate macOS prompts, forcing users to input their passwords into a non-closable window. The script employs real-time validation via macOS Directory Services, amplifying the risk that users may unknowingly compromise their credentials under the guise of a system prompt.
The ClickFix campaign utilizes a sophisticated multi-platform strategy by incorporating client-side JavaScript to differentiate between operating systems. Users on mobile devices are filtered out, while desktop users are directed to either a Windows or macOS payload based on their user-agent string. The macOS variant employs a fake CAPTCHA to lure users into executing a malicious command that runs a remote script to initiate data collection, demonstrated in the associated flow diagrams.
Defensive Context
Organizations employing macOS systems should be particularly vigilant regarding these types of social engineering tactics, especially in environments that handle sensitive financial or credential-related information. The risk is notably pronounced for environments that may lack user awareness or effective training on identifying phishing attempts and deceptive prompts.
Why This Matters
This campaign’s effectiveness lies in its dual-targeting strategy and its capacity to bypass multi-factor authentication, making it relevant for any organization reliant on macOS devices, especially those with substantial online operations or management of sensitive data. Affected sectors likely include technology, finance, and any enterprises that use Apple products extensively.
Defender Considerations
Defenders should remain vigilant against ClickFix tactics by monitoring for unusual user interactions, particularly those resembling system prompts or requests for sensitive information. The described behavior of the dialog box and its real-time validations can serve as detection points, with malicious commands being executed from terminal interfaces. Ensuring software is updated to the latest macOS versions may also mitigate risks associated with these attacks, as the latest updates include improved security warnings for potentially malicious command pasting.
Indicators of Compromise (IOCs)
The components of this campaign include the following identifiable technical references:
- Server IP:
http://172.94.9.250 - Campaign Identifier:
e12285f507c847b986233991b86b22e3 - Malware Detection IDs:
- Trojan.Generic.39744155
- Script.Trojan.Heuristic
- Gen.Detect.By.NSCloudSandbox.tr
More comprehensive details can be found in Netskope’s GitHub repository addressing this threat.
