Malware

New macOS stealer uses social engineering and coercion

A new macOS stealer, dubbed ClickLock Stealer, has been observed employing social engineering tactics combined with a coercion routine that renders a victim's machine unusable until their password is provided, according to Group-IB. The malware has impacted at least 100 victims across 33 countries in approximately two months, with a significant portion concentrated in Europe, with further coverage provided by Infosecurity Magazine.

The attack chain begins when a victim pastes a command into their Terminal, often lured by a ClickFix page. The malware then downloads four components from compromised WordPress sites. Two modules focus on credential theft, one targeting macOS Keychain for Chrome passwords and another presenting a fake password dialog. A third module searches for cryptocurrency assets across over 30 wallet extensions. The final component installs GSocket, an open-source reverse-shell tool disguised as an iCloud process. If the victim provides their password, it's exfiltrated along with a system fingerprint. If they cancel, the malware installs LaunchAgents to ensure the credential modules relaunch on login. A kill loop then terminates essential applications like Finder, Dock, and browsers for up to 83 hours, while also suppressing Gatekeeper warnings.

Exfiltration occurs via Telegram, with the malware leaving behind only the GSocket backdoor. This incident highlights a growing trend in macOS malware, with other stealer families also incorporating backdoors and bypassing security warnings.

Source: Infosecurity Magazine

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Adware

You can skip this ad in 5 seconds