4 min read

ClickLock malware locks Macs until victims enter passwords

A new macOS stealer called ClickLock has hit at least 100 systems in 33 countries, using fake password prompts and kill loops to force login credentials.

Image: BleepingComputer

A newly discovered macOS malware strain called ClickLock is designed to corner victims into handing over their system login password. According to Group-IB, the malware steals cryptocurrency assets, login credentials, password-manager data, browser information, and macOS authentication data, and can also install a persistent backdoor for remote access.

The researchers found the shell script on VirusTotal, where it was first submitted on June 9. At the time of Group-IB’s report, it was still undetected by all security vendors listed on the platform. Group-IB says the malware has infected at least 100 systems across 33 countries since May.

The infection chain likely starts with a ClickFix lure. Victims are tricked into pasting a malicious command into Terminal, which launches a fake Cloudflare “human verification” flow with an animated progress bar. While that runs, the malware disables keyboard interrupts, hides the terminal cursor, downloads stealer modules in the background, and suppresses macOS NotificationCenter for about six hours.

Recommended reading

US charges pair over $43M scam laundering ring

ClickLock doesn’t rely on exploits or elevated privileges. Instead, it uses social engineering and repeated forced interactions. It first shows a fake macOS password dialog that uses the victim’s real username and a downloaded Apple icon. If the victim enters the password, the malware validates it and sends it to the attacker through Telegram.

If the dialog is canceled, ClickLock installs persistence using two LaunchAgents: com.authirity.plist and com.chromer.plist. On the next login, one component starts a kill loop every 210 milliseconds, repeatedly terminating apps including Finder, Dock, Terminal, Activity Monitor, Console, System Settings, Spotlight, and web browsers. The only thing left on screen is the password prompt. Group-IB says this loop is set to continue for 300,000 seconds — about 83 hours — or until the correct password is entered.

The kill loop function
The kill loop function

A second LaunchAgent uses a similar tactic, killing system apps while presenting a legitimate Keychain authorization prompt to gain access to Chrome’s Safe Storage key. That key can be used to decrypt offline Chromium data such as saved passwords, cookies, and autofill records. This loop runs every 200 milliseconds and is configured to last 3 million seconds, or nearly 35 days.

The stealer module targets a wide range of data, including:

  • Data from eight browsers: Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, and Chromium
  • Saved logins, cookies, autofill data, bookmarks, local storage, and session storage
  • Cryptocurrency wallet extensions and desktop wallet files
  • Encrypted wallet vaults for possible offline cracking
  • Password-manager extension data
  • Cached crypto addresses across EVM, Bitcoin, Solana, TRON, TON, and Stacks
  • Shell histories
  • FileZilla FTP configuration and recent-server data
  • Basic system information and the public IP address

The harvested data is packed into a ZIP archive with a summary log and uploaded through the Telegram Bot API. Files larger than 40 MB are split into smaller parts, with retry logic to resume uploads after temporary network issues.

The final stage is a modified version of the open-source tool GSocket, which acts as the malware’s persistent backdoor. It maintains access through a LaunchAgent, crontab entries, and changes to shell configuration files, then connects through a GSocket relay to provide a reverse shell. Group-IB notes that, unlike the other ClickLock components that self-delete after running, GSocket remains on infected systems.

The complete ClickLock attack chain
The complete ClickLock attack chain

Group-IB warns that the malware leaves defenders with a narrow detection window because its payloads are hosted on compromised legitimate domains, the script is not flagged on VirusTotal, and most modules erase themselves after execution. Still, the researchers say defenders can spot it through activity such as osascript launching password dialogs, repeated process termination, mass access to browser profile folders, and outbound traffic to Telegram’s API.

“Any page that instructs you to open Terminal, regardless of how professional it looks, is attempting to compromise your system.”

Group-IB researchers

For users, the advice is blunt: do not paste Terminal commands you do not fully understand, especially when a website asks for it. If a Mac suddenly becomes unresponsive and only a login-password prompt remains, Group-IB recommends forcing a shutdown by holding the power button, then booting into Safe Mode.

article image
article image
Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via BleepingComputer

// Keep reading