ClickLock is a new macOS info-stealer that uses fake Cloudflare verification and forced password prompts to steal credentials, cryptocurrency data, browser information, and macOS authentication data. Group-IB found it has already affected at least 100 systems in 33 countries and can also install a persistent GSocket backdoor for remote access. #ClickLock #GroupIB #GSocket
Keypoints
- ClickLock targets macOS users with a fake verification flow and malicious Terminal commands.
- The malware forces repeated password prompts by terminating visible system processes.
- It steals browser data, wallet information, credentials, and macOS authentication data.
- ClickLock can establish persistence through LaunchAgents and related startup mechanisms.
- The final payload uses GSocket to provide attackers with a persistent remote backdoor.