Skip to content
Tech News
← Back to articles

New ClickLock macOS malware traps users into revealing login password

read original more articles
Why This Matters

The ClickLock malware represents a significant threat to macOS users by leveraging social engineering to trick victims into revealing their login credentials, enabling ongoing access and data theft. Its ability to operate undetected and establish persistent backdoors underscores the importance of robust security awareness and defenses for consumers and the tech industry alike.

Key Takeaways

A new macOS information-stealing malware dubbed ClickLock terminates all visible processes to force users into entering their system login password.

The malware is designed to steal cryptocurrency assets, login credentials, password-manager data, browser information, and macOS authentication data, and it can also install a persistent backdoor for ongoing remote access to infected systems.

Researchers at Group-IB analyzed the ClickLock shell script after discovering the malware on VirusTotal, where it was first submitted on June 9. At the time of the report, it remained undetected by all security vendors available on the platform.

Further investigation revealed that the malicious script has infected at least 100 systems across 33 countries since May.

The compromise likely begins via a ClickFix lure, as the researchers observed pastes of a malicious command in the Terminal that trigger a fake Cloudflare “human verification” sequence with an animated progress bar.

At the same time, keyboard interrupts are disabled, the terminal cursor is hidden, and the stealer modules are downloaded in the background.

The macOS NotificationCenter is also suppressed for about six hours, effectively disabling notifications that could expose the attack.

Fake Cloudflare progress bar on the Terminal

Source: Group-IB

Forcing password entry

... continue reading