‘ClickLock Stealer’ Bypasses macOS Security With Social Engineering, Process Killing

A new macOS malware named ClickLock Stealer leverages social engineering and process killing to bypass the operating system’s protections and obtain valuable information from victims. 

Cybersecurity firm Group-IB came across ClickLock Stealer in early June, and the malware appears to have been around since at least late May. Researchers say it has targeted at least 100 users across 33 countries, more than half in Europe.

The stealer is designed to collect various types of data from compromised systems, including web browsers, cryptocurrency wallets and wallet extensions, and password manager extensions. It can also harvest blockchain addresses from six chains and target the macOS Keychain, FTP credentials, and shell history. The stolen data is added to an archive file and exfiltrated to a Telegram bot.

While Group-IB researchers could not definitively determine how ClickLock Stealer is distributed, they believe threat actors may have used SEO poisoning, social media posts, or compromised websites to lure victims to a ClickFix attack page disguised as a Cloudflare verification. 

Users who land on this page are instructed to copy a bash command, paste it into macOS’s Terminal, and execute it. Once the command is run, an orchestrator script file is downloaded and executed, which in turn fetches four other scripts representing a credential stealer, a cryptocurrency stealer, a Keychain stealer, and a backdoor installer. 

The backdoor remains on the compromised machine, but the other scripts are removed once they have harvested the targeted data and sent it back to the attacker.

Advertisement. Scroll to continue reading.

macOS’s design and built-in protections make it harder to deploy malware. However, ClickLock Stealer succeeds primarily through social engineering because the malware is downloaded and executed directly by the victim with their own privileges. Unlike other malware, it does not need exploits or privilege escalation. 

To access the targeted data, the malware employs aggressive process-killing loops. The orchestrator component displays a fake macOS dialog to capture the user’s password, killing every visible process so that only the password window is shown on the screen until the victim complies.

“A background loop also starts killing macOS NotificationCenter continuously for approximately ~6 hours, suppressing any Gatekeeper or security warnings that might alert the victim,” Group-IB explained in a blog post describing ClickLock Stealer

Other components also aggressively terminate applications that the victim may use to analyze or disrupt the attack. The credential stealer component also displays a fake macOS password dialog and keeps it open in a long loop while other applications are terminated, forcing the victim to enter the password. 

When the malware queries the macOS Keychain for the Chrome Safe Storage encryption key, which protects passwords and other browser data, the user is prompted to authorize the action. Again, all processes are killed until the user complies and Keychain access is granted.

Related: macOS Weaknesses Chained to Silently Disable Endpoint Security Agents

Related: MacSync macOS Malware Distributed via Signed Swift Application

Related: Apple Patches Dozens of Vulnerabilities Across iOS, macOS, and Safari

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *