An aggressive social engineering technique has been used by ClickLock, an information-stealing macOS malware, to obtain victims’ information about their system login passwords. Security researchers at Group-IB report that the malware disables normal system functionality, leaving users with little interaction other than a password prompt designed to harvest their credentials.
After a malicious shell script was uploaded to VirusTotal in June, ClickLock was discovered to have already compromised 100 computer systems in 33 countries since May after first being identified in June. According to researchers, ClickLock is still undergoing active development and remained undetected by security engines on the platform when it was discovered, showing its ability to evade traditional antivirus solutions.
Despite analyzing the full payload chain of the malware, the initial lure pages used to deliver the attack have not yet been identified, suggesting that the campaign’s distribution infrastructure is still evolving. Despite the complete analysis of the malware chain, investigators have not yet identified the original lure pages that were used to deliver the attack. Group-IB researchers also believe ClickLock is still under active development.
The compromised websites hosting the malicious payloads have been identified, but the exact methods used to drive victims to those pages remain under investigation. Over half of the known victims are located in Europe, according to Group-IB. Despite the fact that it is unclear how precisely the malware is distributed, researchers believe that it has been active since late May.
According to experts, the attackers use SEO poisoning, compromised websites, or social media posts to lure users to fake verification pages that send them to malicious websites.
How the Attack Works
According to experts, the infection is believed to have originated through a social engineering campaign similar to ClickFix, in which victims are fooled into copying and pasting a malicious command into the macOS Terminal, pretending to complete a Cloudflare “human verification” process.
It has not been determined which initial infection source was employed, but it is believed that attackers may have utilized SEO poisoning, compromised websites, or malicious social media posts to redirect victims to a fake verification page that triggers the attack. As soon as the malware has been executed, it suppresses system notifications, hides the Terminal cursor, and silently downloads additional malicious components.
A script initially executed acts as an orchestrator, downloading four separate components responsible for the theft of credentials, the theft of cryptocurrency, the collection of Keychain data, and the installation of a persistent backdoor, among others. After completing their tasks, data-stealing modules automatically delete themselves in order to reduce forensic evidence; however, the backdoor remains active to allow attackers long-term access to compromised computers.
In addition, it displays a false macOS password prompt based on the victim’s actual username and an Apple-style interface in order to make it appear legitimate. After clicking the login button, ClickLock validates the credentials and immediately sends them to the attackers through Telegram. If the prompt is dismissed, the malware establishes persistence via LaunchAgents and repe
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article:
