New ClickLock macOS malware traps users into revealing login password
Key Points:
- A new macOS malware named ClickLock uses social engineering to coerce users into entering their system login password by terminating visible processes and displaying fake password dialogs, aiming to steal cryptocurrency assets, login credentials, browser data, and macOS authentication information.
- ClickLock infects systems through a fake Cloudflare human verification prompt triggered by a malicious Terminal command, disables keyboard interrupts and notifications, and has infected at least 100 systems across 33 countries since May.
- The malware establishes persistence via two LaunchAgents that repeatedly terminate key macOS apps and force password entry or Keychain authorization, enabling theft of encrypted passwords, cookies, autofill data, cryptocurrency wallets, and other sensitive information.
- Collected data is packaged and exfiltrated to attackers via the Telegram Bot API, while a modified GSocket backdoor provides ongoing remote access through multiple persistence mechanisms, including LaunchAgents and crontab entries.
- Group-IB warns users to avoid executing unknown Terminal commands, especially from websites, and recommends forcing system shutdown and booting into Safe Mode if prompted for a password when the system is unresponsive, as ClickLock evades detection by self-deleting and using compromised legitimate domains.