ClickFix on macOS: Blockchain-Powered Infostealer Hidden Inside Compromised Websites

ClickFix on macOS: Blockchain-Powered Infostealer Hidden Inside Compromised Websites
A ClickFix campaign is abusing compromised WordPress sites and a fake Cloudflare verification prompt to trick macOS users into pasting a malicious Terminal command that deploys a three-stage infostealer. The operation uses Polygon-based EtherHiding for resilient C2 delivery and exfiltrates stolen Keychain, browser, and SSH data to genomicsforge[.]com from macOS victims. #ClickFix #EtherHiding #WordPress #Polygon #genomicsforge

Keypoints

  • Hundreds of compromised WordPress sites were found serving the same malicious injection across multiple regions and industries.
  • The attack uses a fake Cloudflare “Verify you are human” prompt to convince victims to paste a Terminal command on macOS.
  • The malicious page resolves its C2 URL from a Polygon smart contract, making takedowns harder through the use of EtherHiding.
  • A full-screen iframe overlay is used to fingerprint the victim’s OS and deliver platform-specific content, with macOS receiving a full infostealer payload.
  • The pasted command downloads a script from genomicsforge[.]com and pipes it directly to zsh, avoiding disk-based detection.
  • The final payload steals macOS Keychain data, browser data, SSH keys, screenshots, and saved passwords via osascript.
  • Stolen data is staged in /tmp/osalogging.zip and exfiltrated in chunks to genomicsforge[.]com/gate before the archive is deleted.

MITRE Techniques

  • [T1189 ] Drive-by Compromise – Victims are lured through compromised websites that inject the malicious overlay and script (‘compromising any accessible WordPress site at scale, using each one as a delivery platform against its own visitors’).
  • [T1059.004 ] Command and Scripting Interpreter: Unix Shell – The pasted command runs a curl download piped into zsh on macOS (‘downloads and immediately pipes a shell script to zsh’).
  • [T1105 ] Ingress Tool Transfer – The script retrieves additional payloads from attacker infrastructure (‘a curl request to genomicsforge[.]com that downloads’).
  • [T1027 ] Obfuscated Files or Information – The dropper is encoded and compressed to hinder detection (‘gzip-compressed and Base64-encoded payload’).
  • [T1027.001 ] Obfuscated Files or Information: Binary Padding – The payload is compressed and encoded before execution (‘gzip-compressed and Base64-encoded payload’).
  • [T1055 ] Process Injection – The article describes in-memory execution and self-evaluation that avoids writing files (‘decompresses and evals itself entirely in memory’).
  • [T1113 ] Screen Capture – The infostealer can capture screenshots from the macOS system (‘capture screenshots’).
  • [T1056.001 ] Input Capture: Keylogging – The malware silences I/O and steals entered sensitive data during user interaction (‘silences all input/output (I/O)’).
  • [T1555.001 ] Credentials from Password Stores: Keychain – The payload accesses the macOS Keychain (‘access the macOS Keychain’).
  • [T1053.005 ] Scheduled Task/Job: Launch Agent – Defenders are told to inspect LaunchAgents for persistence (‘check ~/Library/LaunchAgents/ for unknown persistence’).
  • [T1091 ] Replication Through Removable Media – Not mentioned.
  • [T1021.004 ] Remote Services: SSH – The campaign targets SSH keys stored on the Mac (‘plundering your Mac’s Keychain, browser data, and SSH keys’).
  • [T1132.001 ] Data Encoding: Standard Encoding – The payload uses Base64 encoding as part of its staging (‘Base64-encoded payload’).
  • [T1090 ] Proxy – The attacker infrastructure is routed through multiple RPC endpoints for C2 resolution (‘across six redundant public remote procedure call (RPC) endpoints’).
  • [T1106 ] Native API – The script uses browser and OS features through platform-native components such as osascript (‘executed via osascript’).
  • [T1566.002 ] Phishing: Spearphishing Link – The fake verification page socially engineers the victim into performing the malicious action (‘Verify you are human’ … ‘open Terminal, paste a code’).
  • [T1041 ] Exfiltration Over C2 Channel – Data is uploaded to attacker infrastructure in chunks (‘exfiltrated to genomicsforge[.]com/gate in 10 MB chunks’).
  • [T1005 ] Data from Local System – The malware collects files, passwords, and browser artifacts from the local machine (‘read files, access the macOS Keychain’).

Indicators of Compromise

  • [Domains] ClickFix overlay and payload infrastructure – superstarlog[.]click, superboomer[.]world, and 3 more overlay domains
  • [Domain] Payload delivery and exfiltration C2 – genomicsforge[.]com
  • [RPC endpoints] Blockchain C2 resolution via Polygon – polygon.drpc.org, polygon-bor-rpc.publicnode.com, and 4 more Polygon RPC endpoints
  • [Smart contract address] C2 URL stored on Polygon – 0x08207B087F61d7e95E441E15fd6d40BEfd6eD308
  • [File path] Data staging file on macOS – /tmp/osalogging.zip
  • [URL path] Exfiltration endpoint – /gate


Read more: https://www.levelblue.com/blogs/spiderlabs-blog/clickfix-on-macos-blockchain-powered-infostealer-hidden-inside-compromised-websites