Evil evolution: ClickFix and macOS infostealers
Threat actors are evolving 'ClickFix' social engineering campaigns to target macOS users with the MacSync infostealer. Recent iterations bypass traditional security controls by tricking users into executing obfuscated terminal commands that deploy fileless, API-gated AppleScript payloads designed to harvest credentials, browser data, and cryptocurrency wallet seed phrases.
Authors: Jagadeesh Chandraiah
Source:
Sophos
- domainget-mactech[[.]]comMalicious landing page domain used in the December campaign.
- domainhoustongaragedoorinstallers[[.]]comC2 domain used by the shell-based loader to fetch dynamic AppleScript payloads.
- urlhxxps://main[.]mon2gate[.]net/modules/walletsExfiltration endpoint for stolen Ledger wallet seed phrases.
- urlhxxps://tenkmo[.]com/drive/updateStage 2 payload URL downloaded by the initial bash script.
Key Takeaways
- ClickFix campaigns are increasingly targeting macOS users to deliver the MacSync infostealer.
- Recent variants shifted from native MachO binaries to a multistage loader-as-a-service model using dynamic AppleScript and in-memory execution.
- Attackers use fake ChatGPT and GitHub-themed pages, often promoted via Google sponsored links, to trick users into running malicious terminal commands.
- The malware actively targets cryptocurrency wallets, specifically patching the legitimate Ledger Live application to exfiltrate seed phrases.
- Threat actors utilize real-time tracking via Telegram bots and API key-gated C2 infrastructure to monitor campaigns and evade analysis.
Affected Systems
- macOS
- Ledger Live
- Chromium browsers
- Firefox browsers
- Telegram Desktop
- Safari
Attack Chain
The attack begins with a user clicking a malicious sponsored search result, leading to a fake application download page (e.g., ChatGPT Atlas or GitHub-themed). The page instructs the user to copy and paste an obfuscated terminal command (ClickFix), which downloads and executes a shell script. This script validates the user's password, fetches a dynamic AppleScript payload from an API-gated C2 server, and executes it in memory via osascript. The AppleScript harvests browser data, credentials, and cryptocurrency wallets, zips the data to /tmp/osalogging.zip, and exfiltrates it in chunks before patching the Ledger Live application to steal seed phrases.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Sophos
Sophos provides endpoint protections against these infostealer variants under the names OSX/InfoStl-FQ, OSX/InfoStl-FR, and OSX/InfoStl-FH. No raw detection rules are provided in the article.
Detection Engineering Assessment
EDR Visibility: High — EDRs with macOS support can monitor process executions (e.g., curl piping to osascript), file modifications in /tmp, and ad-hoc code signing events on legitimate applications like Ledger Live. Network Visibility: Medium — C2 traffic is HTTPS and uses Cloudflare, but chunked uploads and specific URI patterns (/dynamic?txd=, /gate?buildtxd=) might be visible with SSL inspection or advanced network monitoring. Detection Difficulty: Moderate — The use of in-memory execution (osascript) and API-gated C2 makes static analysis difficult, but the behavioral chain (curl to osascript, modifying app.asar) is highly anomalous.
Required Log Sources
- Process Execution Logs
- File Creation Logs
- Network Connection Logs
- macOS Unified Logging (Endpoint Security Framework)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for curl commands piping output directly to osascript, which is indicative of fileless AppleScript execution. | Process Execution | Execution | Low |
| Monitor for the dscl utility being used with the -authonly flag, especially when executed by shell scripts, as this is used to validate phished passwords. | Process Execution | Credential Access | Low |
| Detect modifications to app.asar files within the /Applications/Ledger Live.app directory, followed by ad-hoc code signing. | File Integrity Monitoring / Process Execution | Defense Evasion | Low |
| Search for the creation of suspicious archive files in the /tmp directory (e.g., /tmp/osalogging.zip) followed by repeated outbound network connections. | File Creation / Network Connections | Collection | Medium |
Control Gaps
- Phishing-resistant MFA (FIDO2) does not prevent ClickFix
- Gatekeeper/XProtect bypass via user-executed terminal commands
Key Behavioral Indicators
- curl piping to osascript
- dscl . -authonly usage
- app.asar modifications in Ledger Live
- Chunked PUT requests from curl
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Block known C2 domains and exfiltration URLs at the network perimeter.
- Search endpoint telemetry for the presence of /tmp/osalogging.zip or /tmp/update.
- Identify and isolate macOS devices that have executed curl commands piping to osascript recently.
Infrastructure Hardening
- Implement SSL inspection to detect anomalous URI patterns associated with MacSync C2.
- Restrict the execution of osascript and terminal utilities for standard users where possible.
User Protection
- Deploy EDR solutions capable of monitoring macOS Endpoint Security Framework (ESF) events.
- Ensure Gatekeeper is strictly enforced and monitor for ad-hoc signing events.
Security Awareness
- Educate users on the dangers of copying and pasting terminal commands from websites (ClickFix).
- Warn users about fake software downloads promoted via search engine sponsored links.
MITRE ATT&CK Mapping
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- T1059.002 - Command and Scripting Interpreter: AppleScript
- T1204.002 - User Execution: Malicious File
- T1552.001 - Unsecured Credentials: Credentials In Files
- T1539 - Steal Web Session Cookie
- T1056.002 - Input Capture: GUI Input Capture
- T1553.002 - Subvert Trust Controls: Code Signing
- T1566.002 - Phishing: Spearphishing Link
- T1041 - Exfiltration Over C2 Channel
Additional IOCs
- Domains:
getmaclab[[.]]com- Malicious landing page domaingetmacnow[[.]]com- Malicious landing page domainimaclife[[.]]com- Malicious landing page domaininsta-macer[[.]]com- Malicious landing page domaininstmac[[.]]com- Malicious landing page domainmac-faster[[.]]com- Malicious landing page domainmac-fast[[.]]com- Malicious landing page domainmac-space[[.]]com- Malicious landing page domainmacfixnow[[.]]com- Malicious landing page domainmymachub[[.]]com- Malicious landing page domainmymacsoft[[.]]com- Malicious landing page domainjmpbowl[.]top- URL pattern domain used in campaignjmpbowl[.]xyz- URL pattern domain used in campaign
- Urls:
hxxp://jmpbowl[.]top/curl/- Base URL pattern observed in campaignhxxp://jmpbowl[.]xyz/curl/- Base URL pattern observed in campaignhxxps://get-mactech[.]com/app/stats.php- Tracking endpoint used to send victim statistics to Telegram
- File Paths:
/tmp/.pass- Temporary file storing the user's validated password/tmp/update- Location where the stage 2 payload is downloaded and executed/tmp/osalogging.zip- Archive containing harvested user data before exfiltration/Applications/Ledger Wallet.app- Targeted cryptocurrency wallet application/Applications/Ledger Live.app- Targeted cryptocurrency wallet applicationLedger Live.app/Contents/Resources/app.asar- Legitimate Ledger Live component patched by the malware to steal seed phrases
- Command Lines:
- Purpose: Decode base64 payload URL | Tools:
echo,base64| Stage: Initial Access |base64 -d - Purpose: Validate user password locally | Tools:
dscl| Stage: Credential Access |dscl . -authonly - Purpose: Download stage 2 payload | Tools:
curl| Stage: Execution |curl -o /tmp/update - Purpose: Fetch and execute AppleScript payload in memory | Tools:
curl,osascript| Stage: Execution |curl -k -s --max-time 30 | osascript
- Purpose: Decode base64 payload URL | Tools: