
Threat intel outfit Group-IB has detailed a previously undocumented macOS information stealer that doesn't bother hunting for software bugs. Instead, it persuades users to pwn themselves by pasting a command into Terminal, after which it helps itself to passwords, crypto wallets, browser data, and anything else worth stealing. The boffins have dubbed the malware ClickLock Stealer," a nod to its use of the increasingly popular ClickFix social engineering technique and a coercive "locker" feature that pressures victims into handing over their Mac login password. According to the researchers, the operation has been active since around May and has already targeted at least 100 victims across 33 countries, with more than half located in Europe. Group-IB said it discovered the malware after analyzing a malicious shell script uploaded to VirusTotal on June 9 that had zero antivirus detections at the time. The attackers appear to distribute the malware via fake verification pages using ClickFix, host payloads on compromised WordPress sites, and rely on Telegram infrastructure for command-and-control. "The current malware doesn't even need any elevated privileges or rely on exploits for the successful execution," the researchers wrote. Instead, victims are tricked into launching the infection themselves. After they paste the supplied command into Terminal, the malware displays what appears to be a Cloudflare verification sequence, complete with a fake progress animation, while quietly downloading additional components in the background. Group-IB says ClickLock targets data from eight browsers, 31 cryptocurrency wallet browser extensions, seven password manager extensions, eight desktop wallet applications, macOS Keychain, shell history, FTP credentials, and blockchain addresses spanning six different chains. The malware also deploys a modified version of the open source GSocket tool to provide the attackers with remote access. The researchers believe the malware is still under active development based on its code structure and other artifacts, suggesting operators are continuing to expand its capabilities. The nastiest touch comes when victims refuse to play along. During the fake verification process, ClickLock prompts for the user's macOS password. If the password isn't entered, the malware repeatedly kills visible applications, effectively preventing normal use of the machine until the victim complies. If the password is supplied, the theft completes quietly. If the machine is rebooted instead, persistence mechanisms are designed to resume the attack. "The entire attack chain from initial access to full credential theft and data exfiltration relies on a single moment of trust: the user pasting a command into Terminal," Group-IB wrote. The researchers say defenders will need to watch for suspicious behavior rather than known malware signatures. Among the warning signs are unexpected password prompts, applications being repeatedly forced to close, unusual access to browser data and stored credentials, and connections sending stolen information to Telegram. For everyone else, the advice is considerably simpler. If a website claiming to be Cloudflare, Google, or anyone else asks you to open Terminal and paste in a command, close the tab. (R)