A new social engineering campaign targeting macOS users employs fake browser update prompts to distribute information-stealing malware through Terminal commands. The attack, known as ClickFix, tricks victims into executing malicious commands that silently download and install malware from disk image files.

The ClickFix technique has previously targeted Windows users but has now been adapted for macOS systems. Attackers display convincing fake error messages or update notifications on compromised or malicious websites, instructing users to resolve the supposed issue by copying and pasting commands into Terminal. These commands appear legitimate but actually initiate a chain of malicious actions.

When executed, the Terminal commands automatically download malicious DMG files, mount them on the system, and launch the contained infostealer malware without triggering standard macOS security warnings. The attack bypasses typical user awareness by disguising the malicious activity as a routine troubleshooting step. The commands are crafted to execute silently, giving victims no indication that malware is being installed on their systems.

This campaign poses significant risks to macOS users who may believe their systems are inherently more secure than Windows machines. Information-stealing malware can capture sensitive data including passwords, browser cookies, cryptocurrency wallet credentials, and other personal information stored on the infected system. The social engineering approach proves particularly effective because it relies on user action rather than exploiting technical vulnerabilities.

Security professionals should educate users never to paste commands from websites into Terminal, regardless of how legitimate the prompt appears. Software updates should only be performed through official system preferences or directly from verified vendor websites. Organizations should implement security awareness training that specifically addresses social engineering tactics and consider deploying endpoint detection solutions that monitor for suspicious Terminal activity and unauthorized DMG file executions.

Source: https://www.bleepingcomputer.com/news/security/new-macos-clickfix-attack-silently-mounts-dmgs-to-push-infostealer/