A newly identified social engineering campaign is taking aim at macOS users, deploying a sophisticated stealer malware through an advanced form of the ClickFix attack. This strain, dubbed ‘Matryoshka’ after the Russian nesting dolls, employs layered obfuscation techniques to evade detection by security systems.
Innovative Attack Techniques
Matryoshka deceives users into running Terminal commands that mimic legitimate software repairs, effectively bypassing conventional security measures. By exploiting typosquatting domains, the attack ensnares users who mistype URLs, particularly those seeking software reviews. Victims redirected to these fraudulent sites are prompted to input a ‘fix’ command in their macOS Terminal.
Security analysts at Intego have tracked this malicious activity, noting the use of domains like comparisions[.]org, which closely resembles the legitimate comparisons.org through minor typographical changes.
Advanced Evasion Strategies
Unlike past ClickFix variants, Matryoshka utilizes sophisticated evasion techniques designed to thwart detection efforts. The malware’s payload remains encoded and compressed until execution, operating solely in memory. This strategy complicates file-based scans and static analysis, reducing the ability of researchers to identify the threat.
Upon execution, the loader accesses an AppleScript payload crafted to extract browser credentials and target cryptocurrency wallets such as Trezor Suite and Ledger Live. If direct credential theft is unsuccessful, the malware resorts to fake system prompts that persistently solicit passwords.
Infection Process and Mitigations
The infection chain of Matryoshka progresses through several phases, each engineered to avoid detection while ensuring the malware’s operational success. Victims executing the malicious Terminal command initiate a sequence that decodes and decompresses a hidden shell script, avoiding the creation of detectable file artifacts.
The malware employs various evasion tactics, such as detaching its main process to rapidly conclude, deceiving users into believing the operation is complete. It suppresses terminal output and redirects streams to minimize visible clues. Additionally, its command-and-control infrastructure demands specific request headers, misleading unauthorized scanners with generic errors.
Users are advised against pasting commands from unverified sources into Terminal, as legitimate updates should not require such actions. Organizations should focus on blocking typosquatting domains, monitoring Terminal execution patterns, and scrutinizing any suspicious behavior related to cryptocurrency applications.
Stay informed by following us on Google News, LinkedIn, and X for more updates. Consider setting CSN as a preferred source in Google for real-time notifications.
