ClickLock Stealer kills processes to steal data on macOS

Group-IB found ClickLock Stealer tricks macOS users into running a Terminal command, then kills processes and forces password and Keychain prompts to steal browsers, wallets and credentials.

Group-IB researchers discovered a new macOS malware strain called ClickLock Stealer in early June; their analysis indicates the threat was active since at least late May. The firm identified at least 100 targets across 33 countries, with more than half of victims located in Europe.

Victims were directed to a fake verification page modeled on a Cloudflare check. The page instructed users to copy and paste a bash command into macOS Terminal. Executing that command downloads an orchestrator script that in turn fetches four additional scripts.

The orchestrator retrieves a credential stealer, a cryptocurrency stealer, a Keychain stealer and a backdoor installer. The credential, crypto and Keychain modules harvest data and then remove themselves; the backdoor remains on the compromised machine. Group-IB’s analysis shows the stolen files and records are packaged into an archive and sent to a Telegram bot controlled by the operators.

ClickLock relies on social engineering rather than exploiting software flaws. Because victims run the initial command with their own privileges, the campaign does not require privilege escalation. To force user interaction and work around macOS protections, the malware uses repeated process-killing loops and displays fake password dialogs while terminating other applications.

“A background loop also starts killing macOS NotificationCenter continuously for approximately ~6 hours, suppressing any Gatekeeper or security warnings that might alert the victim,” Group-IB wrote. Other components repeatedly terminate applications that could be used to analyze or interrupt the attack, and the credential module keeps a password prompt open in a long loop while killing other apps to pressure the user to enter credentials.

When the malware queries the macOS Keychain for the Chrome Safe Storage encryption key, the system prompts the user to authorize access. ClickLock then kills processes until the user grants Keychain access, allowing the malware to decrypt and harvest saved browser passwords. The campaign also targets password manager extensions, cryptocurrency wallets and wallet extensions, blockchain addresses from six chains, FTP credentials and shell history.

Group-IB could not definitively determine the initial distribution method but noted search engine poisoning, social media posts or compromised websites as likely vectors. The report states the actors use Telegram as their data-receiving channel.

Articles by this author

No related articles found.