Jamf Threat Labs, the company’s security research arm, recently shared details of a ClickFix-style attack it spotted running as a sponsored ad on the social media site X. Originating from a well-known verified account, it promoted a malicious domain under the guise of a popular Mac app.
The ad in question was posing as DynamicLake, a legitimate Mac utility that turns your MacBook’s notch into an unofficial but fully working Dynamic Island.
Screenshot of the malicious sponsored tweet posing as the real DynamicLake.
via Jamf Threat Labs.
But per Jamf’s investigation, the original link seen above redirects to dynamicmacisland[.]com, a malicious lookalike domain with no ties to the actual app.
Once there, visitors were instructed to open Terminal and paste installation code that would quietly install malware on the victim’s Mac. This is a classic technique that defines ClickFix social engineering attacks.
Legitimate apps, which are signed and notiorized by Apple, will never ask you to do this.
Malicious landing page with ClickFix attack. Screenshot via Jamf Threat Labs.
Jamf identified the payload as a recent Atomic Stealer variant, which it tracks as MacSync. There have also been cases of DigitStealer identified in this attack too.
The account is well-known
... continue reading