Accueil / Apps & Logiciels / Apple @ Work: New macOS ClickFix malware brings a new potential backdoor to your enterprise fleet

Apple @ Work: New macOS ClickFix malware brings a new potential backdoor to your enterprise fleet

Apple @ Work is exclusively brought to you by Mosyle, the only Apple Unified Platform. Mosyle is the only solution that integrates in a single professional grade platform all the solutions necessary to seamlessly and automatically deploy, manage, and protect Apple devices at work. Over 45,000 organizations trust Mosyle to make millions of Apple devices work ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.

While macOS is inherently secure by design, hackers/scammers are increasingly relying on social engineering to bypass native protections. A new report published by Netskope Threat Labs details a new and highly sophisticated macOS ClickFix campaign. This attack tricks people into deploying an AppleScript-based information stealer and a persistent remote access trojan.

About Apple @ Work: Bradley Chambers has been an Apple IT admin since 2009. Through his experience deploying and managing firewalls, switches, a mobile device management system, enterprise grade WiFi, 1000s of Macs, and 1000s of iPads, Bradley will highlight ways in which Apple IT managers deploy Apple devices, build networks to support them, train users, share stories from the trenches of IT management, and ways Apple could improve its products for IT departments.

The new macOS ClickFix campaign relies on a classic social engineering framework. Users are directed to compromised or attacker-controlled websites that mimic legitimate services (this is why services like BrandShield are becoming a must have). Netskope found fake macOS optimization utility pages, fake GitHub repos, and even localized IT support pages. These sites instruct end users to manually copy and paste a specific command into the macOS Terminal.

On top of that, the even worse behavior is how it handles desktop crypto wallets. The malware targets 25 different desktop wallets. It actively kills the legitimate running app, overwrites the core application bundle with a trojanized version, and forces an ad hoc code signature. This restores a structurally valid signature, allowing the newly modified app to launch without triggering macOS Gatekeeper warnings. If you have any substantial holdings of any crypto, please do not use a single-sig wallets for reasons like this.

To establish long term access, the payload installs a background configuration file disguised as an Apple system account process called com.apple.accountsd. This process polls the command-and-control server every minute. This allows the attacker to maintain a constant beaconing loop and remotely execute arbitrary code on the infected Mac at any time.

This campaign is a perfect illustration of how far a purely scripted macOS payload can reach. The attackers are not using zero-day vulnerabilities or complex kernel exploits. They are simply using the native macOS toolchain against the user.

For IT departments, this highlights the critical need for continuous security training. Users must be taught never to paste unknown commands into Terminal, no matter how legitimate the website appears to be. You could argue that blocking access to Terminal on enterprise Macs may become the default for many roles.

Apple @ Work is exclusively brought to you by Mosyle, the only Apple Unified Platform. Mosyle is the only solution that integrates in a single professional grade platform all the solutions necessary to seamlessly and automatically deploy, manage, and protect Apple devices at work. Over 45,000 organizations trust Mosyle to make millions of Apple devices work ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

Apple @ Work is a 9to5Mac series where Bradley C…

Bradley has worked at K-12 independent schools for much of the last 20 years, serving as the head of the information technology department and leading classroom technology integration. He’s well-versed in enterprise Wi-Fi, macOS and iOS system management, school technology, and SaaS tools.

Upgrade your home security with wireless cameras that includes HomeKit compatibility.

Abode is the best home security system and includes compatibility with HomeKit.

Origine de l’article : lire l’article original
Traduction