Security researchers have uncovered a new attack method reminiscent of the ClickFix campaign, specifically targeting Mac users through a deceptive webpage designed to look like an official Apple site. This malicious page provides instructions on how to “reclaim disk space on your Mac,” tricking users into executing harmful commands.

ClickFix is a social engineering technique that exploits users by convincing them to execute dangerous commands on their devices, often under the pretense of solving a problem or performing necessary system maintenance. Initially used against Windows users, this tactic has evolved to include macOS and Linux systems as the attackers adapt to target a wider audience.

According to security experts, the primary method for executing ClickFix attacks on macOS has been to persuade users to copy and paste harmful commands into the Terminal application. However, Apple has made strides to combat this approach with the introduction of security features in macOS 26.4, which scans commands pasted into Terminal before they are executed. As a result, attackers have shifted their tactics to utilize a browser-triggered workflow that prompts users to open Script Editor, an application for editing AppleScript and JavaScript for Automation scripts, both of which come pre-installed on macOS.

The Attack Process

The attack unfolds in several steps from the perspective of the victim:

• The victim visits the deceptive webpage and follows the provided instructions.
• They click on the “Execute” button displayed on the page.
• A prompt appears, asking for permission to open Script Editor.
• Upon granting permission, Script Editor opens with the attackers’ malicious script pre-loaded.
• Depending on the version of macOS, the user may or may not see an additional warning against executing the script.
• If the user ignores this warning and proceeds to save and execute the script, it will silently download and run a variant of Atomic Stealer (AMOS), a potent information-stealing malware.

Atomic Stealer is a subscription-based product sold to cybercriminals, who then deploy it for various malicious purposes. This malware is capable of collecting extensive system information, retrieving data stored in Keychain (Apple’s integrated password management system), and stealing autofill data, passwords, cookies, and even credit card details from web browsers and cryptocurrency wallets.

Researchers have also shared indicators of compromise related to this malware delivery method, providing vital information for users and security professionals to identify and mitigate risks associated with this campaign.

As cyber threats continue to evolve, it remains crucial for users to stay informed about potential risks and adopt best practices for cybersecurity. This includes being skeptical of unsolicited prompts and verifying the authenticity of webpages before providing any personal information or executing commands.

Stay updated on the latest breaches, vulnerabilities, and cybersecurity threats by subscribing to our breaking news email alerts.

Source: Help Net Security News