Malware, Data Security

Atomic Stealer malware abuses macOS Script Editor in new ClickFix attack

A new campaign is delivering the Atomic Stealer malware to macOS users by exploiting the built-in Script Editor application. This method is a variation of the ClickFix attack, which previously tricked users into executing commands in Terminal. The malicious actors are using fake Apple-themed websites that pose as guides to help users reclaim disk space on their Mac computers, according to a recent report by Bleeping Computer.

The attackers leverage the applescript:// URL scheme to launch Script Editor with pre-filled malicious code. This code executes an obfuscated command that downloads and runs a script directly in system memory. The script then decodes a payload, downloads a binary, removes security attributes, makes it executable, and runs it. The final payload is Atomic Stealer (AMOS), a malware-as-a-service that targets sensitive data including Keychain information, browser cryptocurrency wallets, passwords, cookies, credit card details, and system information. AMOS has also been updated with a backdoor for persistent access.

Apple's addition of Terminal warnings for ClickFix attacks is a step towards mitigation, but users should exercise extreme caution with prompts from Script Editor and rely on official sources for system troubleshooting to avoid such threats.

Source: Bleeping Computer

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds