- Sophos warns of multiple ClickFix campaigns on macOS
- Fake AI Tools, ChatGPT Conversations, and Apple Site Used to Spread MacSync Information Theft
- Latest variant employs loaders, AppleScript, and in-memory execution for stealth
Security researchers have warned of an increase in ongoing malware campaigns targeting macOS users, leveraging malicious ads, legitimate hosting services, brand spoofing, fake ChatGPT conversations, and a bit of old-fashioned social engineering to infect victims.
A new report from Sophos claims that at least three different ClickFix campaigns were run over the past three months. ClickFix is a known method where criminals present users with a fake problem and at the same time offer a solution, which can be anything from a fake CAPTCHA to a “locked” document.
Whatever it is, “solving” the problem requires running a Terminal command that downloads and installs MacSync infostealer.
Article continues below.
MacOS a frequent target
In the first campaign, the “problem” was installing a browser with AI. Users searching for a specific keyword would see an ad at the top of Google search results that would take them to a fake browser download page, hosted on sites.google.com.
The site looks authentic and spoofs OpenAI’s ChatGPT Atlas, but to download it, users are asked to open Terminal and paste a specific command.
The second campaign is somewhat different because instead of relying on a website, the criminals would create a ChatGPT conversation.
Each conversation with the tool has a unique identifier and can be shared with others using the “share” function. Now, the criminals would create a conversation instructing how to download “Mac system cleanup apps” and similar tools which, again, would trick victims into downloading the information stealer. They would then advertise that conversation on Google to improve perceived legitimacy.
The third campaign described in the Sophos report poses as Apple’s legitimate site and offers a significantly evolved variant of the MacSync information stealer. Unlike previous campaigns, this one uses a multi-stage loader-as-a-service model, dynamic AppleScript payloads, and in-memory execution to maximize stealth and persistence.
“The prevailing view used to be that macOS had a lower risk of malware infection compared to Windows, due to a native set of security features that forced threat actors to adopt different, sometimes technically challenging techniques,” the researchers explained.
“That is no longer the case (and hasn’t been for some time, as we noted in September 2024). Mainstream malware now regularly affects macOS users, particularly when it comes to information stealers, which regularly make up a significant portion of all macOS detections we see in telemetry. We expect this region of the threat landscape to continue to evolve, and rapidly, but, as always, Sophos will evolve with it. We will continue to monitor new variants, update protection and information as appropriate. and publish research on this aspect of the threat landscape as data becomes available.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
