Search This Blog

Popular Posts

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Showing posts with label ClickLock Malware. Show all posts

Group-IB Uncovers ClickLock macOS Malware Targeting Passwords and Crypto Wallets


An aggressive social engineering technique has been used by ClickLock, an information-stealing macOS malware, to obtain victims' information about their system login passwords. Security researchers at Group-IB report that the malware disables normal system functionality, leaving users with little interaction other than a password prompt designed to harvest their credentials. 


After a malicious shell script was uploaded to VirusTotal in June, ClickLock was discovered to have already compromised 100 computer systems in 33 countries since May after first being identified in June. According to researchers, ClickLock is still undergoing active development and remained undetected by security engines on the platform when it was discovered, showing its ability to evade traditional antivirus solutions. 

Despite analyzing the full payload chain of the malware, the initial lure pages used to deliver the attack have not yet been identified, suggesting that the campaign's distribution infrastructure is still evolving. Despite the complete analysis of the malware chain, investigators have not yet identified the original lure pages that were used to deliver the attack. Group-IB researchers also believe ClickLock is still under active development. 

The compromised websites hosting the malicious payloads have been identified, but the exact methods used to drive victims to those pages remain under investigation. Over half of the known victims are located in Europe, according to Group-IB. Despite the fact that it is unclear how precisely the malware is distributed, researchers believe that it has been active since late May. 

According to experts, the attackers use SEO poisoning, compromised websites, or social media posts to lure users to fake verification pages that send them to malicious websites.

How the Attack Works

According to experts, the infection is believed to have originated through a social engineering campaign similar to ClickFix, in which victims are fooled into copying and pasting a malicious command into the macOS Terminal, pretending to complete a Cloudflare "human verification" process. 

It has not been determined which initial infection source was employed, but it is believed that attackers may have utilized SEO poisoning, compromised websites, or malicious social media posts to redirect victims to a fake verification page that triggers the attack. As soon as the malware has been executed, it suppresses system notifications, hides the Terminal cursor, and silently downloads additional malicious components. 

A script initially executed acts as an orchestrator, downloading four separate components responsible for the theft of credentials, the theft of cryptocurrency, the collection of Keychain data, and the installation of a persistent backdoor, among others. After completing their tasks, data-stealing modules automatically delete themselves in order to reduce forensic evidence; however, the backdoor remains active to allow attackers long-term access to compromised computers.

In addition, it displays a false macOS password prompt based on the victim's actual username and an Apple-style interface in order to make it appear legitimate. After clicking the login button, ClickLock validates the credentials and immediately sends them to the attackers through Telegram. If the prompt is dismissed, the malware establishes persistence via LaunchAgents and repeatedly launches until the correct password is entered. 

System Lockdown and Data Theft

One of ClickLock's most disruptive features is its repeated termination of essential macOS processes, including Finder, Dock, Terminal, Activity Monitor, System Settings, Spotlight, and major web browsers. This malware continuously destroys these applications, causing users to be locked out of their computer for extended periods of time. 

According to researchers, ClickLock is able to exploit vulnerabilities in software without exploiting elevated privileges or exploiting software vulnerabilities. It relies on social engineering to persuade users to execute the malicious command themselves and repeatedly force them to interact with fake authentication prompts until they divulge their login credentials. 

Additionally to stealing login credentials, ClickLock attacks a wide range of sensitive information, including the following: 

  • Browser passwords, cookies, bookmarks, and autofill data. 
  • Cryptocurrency wallet files and browser wallet extensions. 
  • Password manager data. 
  • Shell histories and FileZilla FTP configurations. 
  • Basic system information and the victim's public IP address. 

It is the primary objective of the attackers to obtain the Chrome Safe Storage encryption key. By using this key, cybercriminals can decrypt stolen browser databases offline, allowing them to retrieve saved passwords, cookies, and other encrypted Chromium-based browser data without requiring continued access to the victim's computer. 

A modified version of the open-source GSocket tool is also installed by the malware, allowing attackers to gain persistent remote access to compromised devices by compressing collected data into ZIP archives and exfiltrating it through the Telegram Bot API. A legitimate system authorization prompt provides attackers with persistent remote access to compromised devices in addition to targeting macOS Keychain through a request for Chrome's Safe Storage encryption key. 

Using this malware, attackers can decrypt passwords, cookies, and other sensitive Chromium-based browser data offline if the user grants permission. Researchers noted that instead of exploiting software vulnerabilities, the malware's operators appear to rely exclusively on legitimate Mac OS features. 

ClickLock bypasses many of the operating system's built-in security protections through deception instead of technical exploit by convincing users to execute malicious commands. 

Staying Protected

ClickLock provides a limited detection window due to the fact that most of its components are deleted after execution and are hosted on compromised legitimate websites, according to Group-IB. It is strongly recommended that users should never copy and paste Terminal commands from websites or untrusted sources, regardless of their convincing appearance. Before investigating an infection on macOS, it is recommended that you force a shutdown by pressing the power button and restarting the device in Safe Mode.