macOS ClickFix Lures Deploy AppleScript Stealer & Persistent RAT

MITRE Techniques

• [T1204.001 ] User Execution: Malicious Link – Victims are tricked into visiting attacker-controlled or compromised sites and copying/executing a terminal command through a fake ClickFix page. [‘Victims are tricked into visiting a compromised or attacker-controlled website that instructs them to copy and execute a terminal command manually.’]
• [T1059.004 ] Command and Scripting Interpreter: Unix Shell – The initial loader is a zsh script executed from a pasted command. [‘The execution string… executes a terminal command manually.’]
• [T1059.006 ] Command and Scripting Interpreter: JavaScript – The second stage is an AppleScript payload delivered and run in memory via osascript. [‘the stage 2 AppleScript payload pipes straight into osascript memory’]
• [T1027 ] Obfuscated Files or Information – The loader uses gzip-compressed, base64-encoded heredoc content to hide the stage 1 payload. [‘evaluating a gzip-compressed, base64-encoded heredoc’]
• [T1140 ] Deobfuscate/Decode Files or Information – The script decodes the heredoc and base64 content before execution. [‘evaluating a gzip-compressed, base64-encoded heredoc’]
• [T1027.005 ] Embedded Payloads – The loader fetches a gzip-compressed stager and pipes the AppleScript directly into memory. [‘fetches a gzip-compressed stager… pipes the second-stage AppleScript directly into osascript memory’]
• [T1055 ] Process Injection – The malware replaces wallet application core files and runs trojanized components inside legitimate app bundles. [‘swaps their core files with trojanized components’]
• [T1542.001 ] Pre-OS Boot: Launch Agent – A user-level LaunchAgent is installed for persistence when root access is unavailable. [‘A LaunchAgent is written to ~/Library/LaunchAgents/com.apple.accountsd.plist’]
• [T1543.001 ] Create or Modify System Process: Launch Daemon – A LaunchDaemon is written to persist as com.apple.accountsd with elevated privileges. [‘A LaunchDaemon is written to /Library/LaunchDaemons/com.apple.accountsd.plist’]
• [T1036 ] Masquerading – Persistence artifacts impersonate Apple’s account synchronization daemon and system dialogs imitate System Preferences. [‘matching the name of Apple’s legitimate account synchronization daemon’; ‘title “System Preferences”‘]
• [T1112 ] Modify Registry? – Not applicable to macOS registry; no clear equivalent mentioned in the article.
• [T1552.001 ] Unsecured Credentials: Credentials In Files – The malware collects browser logins, cookies, keychain data, and other stored secrets. [‘harvest credentials, browser data, session cookies, and keychain contents’]
• [T1555.003 ] Credentials from Password Stores: Credentials from Web Browsers – It extracts browser login databases, cookies, and Safe Storage keys from Chrome, Brave, and Edge. [‘copies: Login Data, Cookies…; the payload abuses the victim’s harvested password to unlock the login keychain’]
• [T1555.001 ] Credentials from Password Stores: Keychain – It copies the full keychain directory and unlocks the login keychain to retrieve stored secrets. [‘The full keychain directory (~/Library/Keychains/) is also copied recursively.’]
• [T1056.002 ] Input Capture: GUI Input Capture – A fake system dialog collects the victim’s password. [‘display dialog… prompt the user to enter their password’]
• [T1115 ] Clipboard Data – The lure page silently writes the execution string to the user’s clipboard. [‘uses the Web Clipboard API to silently drop the execution string onto the user’s clipboard’]
• [T1021 ] Remote Services – The malware maintains C2 beaconing and allows remote execution of server-supplied commands. [‘It maintains a persistent command-and-control (C2) beaconing loop’]
• [T1105 ] Ingress Tool Transfer – The payload downloads stagers, AppleScript content, and wallet replacement archives from C2. [‘curl… fetches a gzip-compressed stager’; ‘Download a zip archive from the C2 gate’]
• [T1560.001 ] Archive Collected Data: Archive via Utility – Staged data is compressed into a zip file before exfiltration. [‘The archive is then posted to the gate endpoint’]
• [T1041 ] Exfiltration Over C2 Channel – Collected data is posted to the gate endpoint. [‘The archive is then posted to the gate endpoint’]
• [T1497.001 ] Virtualization/Sandbox Evasion: System Checks – The loader checks keyboard layout and exits if Russian input is enabled. [‘searches for a Russian keyboard layout and exits silently if Russian input is enabled’]
• [T1614 ] System Location Discovery – The loader gathers locale and system information for telemetry. [‘This traffic contains the victim’s external IP, locale details, hostname, OS version’]
• [T1016 ] System Network Configuration Discovery – The beacon includes external IP and host details. [‘This traffic contains the victim’s external IP, locale details, hostname, OS version’]
• [T1082 ] System Information Discovery – The loader and heartbeat collect hostname, OS version, and platform UUID. [‘hostname’, ‘os_version’; ‘BOT_ID=$(ioreg…IOPlatformUUID)’]
• [T1046 ] Network Service Scanning – Not mentioned in the article.
• [T1219 ] Remote Access Software – The RAT-style payload provides interactive remote access and retasking. [‘allowing the operator to remotely execute payloads and retask the infected host at will’]