Full Report
You're browsing a legitimate small business website. Before the page loads, a familiar Cloudflare box appears: "Verify you are human." It asks you to open Terminal, paste a code, and press Enter. You've seen this before. You follow the steps. The page loads normally.
Analysis Summary
# Tool/Technique: ClickFix (macOS Variant)
## Overview
ClickFix is a sophisticated social engineering technique that uses fake CAPTCHA or "browser verification" prompts to trick users into executing malicious commands. This specific macOS-focused campaign leverages compromised WordPress sites and uses the Polygon blockchain for resilient Command and Control (C2) infrastructure. The ultimate goal is to deploy an infostealer that exfiltrates sensitive browser and system data.
## Technical Details
- **Type:** Technique (Social Engineering) / Malware (Infostealer)
- **Platform:** macOS (also targets Windows and Linux)
- **Capabilities:** Blockchain-based C2 resolution, Clipboard hijacking, Browser data theft (passwords, cookies), Keychain exfiltration, SSH key theft.
- **First Seen:** July 2024 (indicated in context of similar reported campaigns)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- **[T1189 - Drive-by Compromise]**: Compromising legitimate WordPress sites to host malicious scripts.
- **[TA0002 - Execution]**
- **[T1059.006 - Command and Scripting Interpreter: Python]**: Execution of the three-stage infostealer payload.
- **[T1204.002 - User Execution: Malicious File]**: Tricking the user into pasting commands into the Terminal.
- **[TA0005 - Defense Evasion]**
- **[T1564.010 - Hide Artifacts: Infrastructure Obfuscation]**: Using Polygon blockchain smart contracts to hide C2 URLs.
- **[T1132 - Data Encoding]**: Obfuscating payloads within the script.
- **[TA0009 - Collection]**
- **[T1539 - Steal Web Session Cookie]**
- **[T1555.001 - Credentials from Password Stores: Keychain]**
- **[TA0010 - Exfiltration]**
- **[T1041 - Exfiltration Over C2 Channel]**
## Functionality
### Core Capabilities
- **Browser Verification Overlay:** Injects a full-screen iframe (z-index: 2147483647) with a fake Cloudflare-style "Verify you are human" box.
- **Clipboard Manipulation:** Uses the `allow="clipboard-write"` iframe attribute to automatically copy a malicious Terminal command to the victim's clipboard without a prompt.
- **Social Engineering:** Instructs macOS users to open Terminal (⌘ + Space) and paste the command to "verify" themselves.
- **Three-Stage Infection:**
1. Command downloads a base64-encoded Python script.
2. The script decodes and executes a second-stage downloader.
3. The final stage deploys a modular infostealer targeting browser profiles and sensitive files.
### Advanced Features
- **Blockchain C2 Resolution (EtherHiding):** The script queries a Polygon smart contract (0x08207B087F61d7e95E441E15fd6d40BEfd6eD308) via Public RPC endpoints to resolve the actual C2 domain, making the infrastructure resistant to takedowns.
- **Anti-Replay Mechanism:** Sets cookies (`_cf_verified`, `_wp_perf_ok`) with a 90-day expiry once the CAPTCHA is "completed" to avoid re-triggering the overlay and alerting the user.
## Indicators of Compromise
- **File Names:** `/tmp/osalogging.zip` (Staging area for exfiltration data)
- **Network Indicators:**
- `superstarlog[.]click`
- `superboomer[.]world`
- Polygon Smart Contract: `0x08207B087F61d7e95E441E15fd6d40BEfd6eD308`
- **Behavioral Indicators:**
- Spawning of Terminal/Shell processes leading to unexpected Python network connections.
- Unexpected reads of `~/Library/Keychains/` and `~/Library/Application Support/Google/Chrome/`.
- Massive iframe injections on non-malicious business websites.
## Associated Threat Actors
- Unknown (Campaigns are typically operated via Malware-as-a-Service (MaaS) models).
## Detection Methods
- **Behavioral Detection:** Monitoring for `Terminal.app` or `PowerShell.exe` activity that involves piping strings from the clipboard directly into a shell interpreter.
- **Network Detection:** Inspecting traffic for requests to public blockchain RPC nodes (e.g., Cloudflare-eth.com, Polygon-rpc.com) originating from standard web browsers.
- **Web Content Inspection:** Scanning for iframes with extremely high z-index values and the `allow="clipboard-write"` permission.
## Mitigation Strategies
- **User Awareness:** Train employees never to paste or execute commands into Terminal/Command Prompt from a website, regardless of how legitimate the request appears.
- **Content Security Policy (CSP):** Website owners should implement strict CSP headers to prevent unauthorized iframes and external script execution.
- **Endpoint Protection:** Use EDR/AV solutions that can detect and block scripts accessing sensitive directories like `Keychains` or browser profile folders.
## Related Tools/Techniques
- **EtherHiding:** The broader technique of using blockchain contracts to host malicious URLs.
- **ClearFake:** A similar social engineering framework that uses fake browser update prompts.
- **LUMMA Stealer:** Often delivered via similar "fake fix" social engineering templates.