ClickFix Campaign Delivers Mac Malware via Fake Apple Page

Security researchers at Jamf have uncovered a sophisticated new ClickFix-style attack specifically targeting Mac users. The attack operates through a fake Apple-themed webpage that deceives victims into believing they need to reclaim disk space on their devices. This social engineering campaign represents an evolution in Mac-targeting malware delivery techniques that have become increasingly prevalent in recent years.

ClickFix is a well-established social engineering technique that manipulates victims into executing malicious commands on their own machines. Typically, attackers convince users that these commands are necessary for fixing problems or performing routine system maintenance tasks. Originally developed to target Windows users, this attack method has since expanded to include macOS and Linux platforms, making it a widespread security concern across multiple operating systems.

Apple has taken significant steps to counter these attacks. Most notably, macOS Sonoma 14.6 introduced a security feature that scans commands before they are pasted into Terminal, preventing the execution of potentially malicious code. In response to this defensive measure, attackers have adapted their tactics. Rather than relying on Terminal, they now use a browser-triggered workflow to launch Script Editor, a legitimate code editor for AppleScript and JavaScript for Automation languages. Since both Terminal and Script Editor come pre-installed on macOS systems, they serve as ideal attack vectors for malicious actors.

The attack sequence begins when victims visit the malicious webpage and follow the provided instructions. They are prompted to click an "Execute" button, which then requests permission to open Script Editor through the web browser. Once Script Editor launches, it arrives pre-populated with the attacker's malicious script. Depending on the macOS version, users may encounter additional security warnings against running the script, though many victims ignore these protections.

If victims proceed by allowing the script to be saved and executed, the payload downloads and executes an Atomic Stealer variant, known as AMOS. This malware operates covertly to collect sensitive information including system details, Keychain data containing passwords and autofill information, browser cookies, credit card information, and cryptocurrency wallet credentials. Atomic Stealer functions as a subscription-based product sold to cybercriminals who deploy it according to their specific objectives, making it a serious threat to Mac user security and financial data.

Jamf researchers have provided indicators of compromise related to this malware delivery campaign, helping security professionals identify and defend against these attacks. As this threat continues to evolve, users are encouraged to remain vigilant about suspicious web pages, be cautious when granting permissions to open applications, and carefully review any scripts before executing them on their systems.