2 min read

macOS ClickFix hides a backdoor in copied Terminal commands

A Netskope report details a macOS ClickFix campaign that steals data, swaps crypto wallet apps, and installs a persistent remote access trojan.

Image: 9to5Mac

A newly detailed macOS ClickFix campaign is using social engineering, not exploits, to compromise Macs. According to a report from Netskope Threat Labs cited by 9to5Mac, the attack convinces users to paste a command into Terminal, deploying an AppleScript-based information stealer and a persistent remote access trojan.

The infection starts on compromised or attacker-controlled sites posing as legitimate services. Netskope said it found fake macOS optimization utility pages, fake GitHub repositories, and localized IT support pages. When a victim clicks a copy button, malicious JavaScript places the command on the clipboard. Once run in Terminal, it fetches a script that executes entirely in memory, leaving little on disk for standard malware scans to catch.

The second-stage payload then shows a fake Mac System Preferences prompt asking for the user’s macOS login password. If entered, the malware uses it to unlock the macOS keychain and extract saved passwords, session cookies, and data from messaging apps.

Recommended reading

Rostec unveils Spider anti-drone shield for fuel sites

It also goes after cryptocurrency software. According to 9to5Mac, the malware targets 25 different desktop wallets, kills the legitimate app, replaces the core application bundle with a trojanized version, and applies an ad hoc code signature so the altered app can still launch without triggering Gatekeeper warnings.

For persistence, the payload installs a background configuration file disguised as an Apple system account process named com.apple.accountsd. Netskope said that process checks in with a command-and-control server every minute, giving attackers an ongoing beacon and the ability to execute arbitrary code remotely.

9to5Mac argues the campaign shows how effective native macOS tools can be in the hands of attackers, even without a zero-day or kernel exploit. For enterprise IT teams, the practical takeaway is simple: train users never to paste unknown commands into Terminal, and consider restricting Terminal access on managed Macs where it is not required.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via 9to5Mac

// Keep reading