A recently identified threat, ClickLock Stealer, has emerged as a significant challenge to macOS security. This malware leverages social engineering tactics alongside process termination to circumvent the operating system’s defenses, in turn gathering sensitive user information.
Discovery and Impact
The cybersecurity firm Group-IB first detected ClickLock Stealer in early June, revealing that the malware had likely been active since late May. It has since targeted at least 100 individuals across 33 countries, predominantly affecting users in Europe.
ClickLock Stealer is engineered to extract a wide array of data from compromised machines. This includes information from web browsers, cryptocurrency wallets and their extensions, and password manager extensions. Additionally, it can capture blockchain addresses from six different chains, access the macOS Keychain, and retrieve FTP credentials and shell history. The collected data is then compressed into an archive and transmitted to a Telegram bot for further exploitation.
Distribution and Methodology
While the precise distribution method of ClickLock Stealer remains unclear, researchers suggest that attackers may have utilized SEO poisoning, social media channels, or compromised websites to drive victims to a deceptive ClickFix page masked as a Cloudflare verification step. This page instructs users to execute a bash command in macOS Terminal, leading to the download and execution of an orchestrator script.
This orchestrator script is responsible for fetching additional malware scripts, including a credential stealer, a cryptocurrency stealer, a Keychain stealer, and a backdoor installer. Though the backdoor persists on the infected system, the other scripts self-delete after completing their data collection tasks.
Exploitation Techniques
The design of macOS, with its inherent security features, typically poses challenges for malware deployment. However, ClickLock Stealer’s reliance on social engineering allows it to be installed with user privileges without requiring exploits or privilege escalation.
To extract the desired data, the malware employs continuous process-killing loops. The orchestrator component tricks users by displaying a counterfeit macOS dialog to capture their passwords, terminating all visible processes until the user complies. This aggressive approach includes repeatedly terminating the macOS NotificationCenter for about six hours to suppress security alerts that might notify victims of the ongoing attack.
Further, when attempting to access the macOS Keychain for the Chrome Safe Storage encryption key, the malware prompts users for authorization while simultaneously terminating other processes to ensure compliance.
ClickLock Stealer exemplifies the evolving threat landscape targeting macOS systems. Users are urged to remain vigilant, update their systems regularly, and exercise caution when executing commands or downloading files from unverified sources.
