Threat intel outfit Group-IB has detailed a previously undocumented macOS information stealer that doesn't bother hunting for software bugs. Instead, it persuades users to pwn themselves by pasting a command into Terminal, after which it helps itself to passwords, crypto wallets, browser data, and anything else worth stealing. The boffins have dubbed the malware “ClickLock Stealer,” a nod to its use of the increasingly popular ClickFix social engineering technique and a coercive "locker" feature that pressures victims into handing over their Mac login password. According to the researchers, the operation has been active since around May and has already targeted at least 100 victims across 33 countries, with more than half located in Europe. Group-IB said it discovered the malware after analyzing a malicious shell script uploaded to VirusTotal on June 9 that had zero antivirus detections at the time. The attackers appear to distribute the malware via fake verification pages using ClickFix, host payloads on compromised WordPress sites, and rely on Telegram infrastructure for command-and-control. "The current malware doesn't even need any elevated privileges or rely on exploits for the successful execution," the researchers wrote. Instead, victims are tricked into launching the infection themselves. After they paste the supplied command into Terminal, the malware displays what appears to be a Cloudflare verification sequence, complete with a fake progress animation, while quietly downloading additional components in the background. Group-IB says ClickLock targets data from eight browsers, 31 cryptocurrency wallet browser extensions, seven password manager extensions, eight desktop wallet applications, macOS Keychain, shell history, FTP credentials, and blockchain addresses spanning six different chains. The malware also deploys a modified version of the open source GSocket tool to provide the attackers with remote access. The researchers believe the malware is still un
تقنية