New Mac Attack Triggers 83-Hour Password Entry Loop
Hot on the heels of reports that password-stealing malware known as CrashStealer was actively targeting macOS users comes yet more bad security news for fans of the Apple ecosystem. Not only does the newly reported ClickLock attack terminate running applications and security tools alike, but it also displays a malicious macOS password prompt that requires the correct system password, which will be extracted by the attackers, or it enters a password-only dialogue loop that lasts for 300,000 seconds. That’s 83 hours of only seeing a password entry screen on your Mac, even if you reboot. Or three and a half days if you prefer. The password-stealing pain only stops if the correct credentials are entered, with the attackers seemingly using this method in an attempt to wear down the victim.
That the user is the weakest link is something of a tired, overused security cliché, in my never-humble opinion, but in the case of ClickLock, it’s fairly accurate. At first glance, this looks like just another social engineering attack, employing the now-familiar ClickFix variant that tricks a user into cut-and-pasting commands into the macOS Terminal courtesy of a fake Cloudflare CAPTCHA verification prompt. Unlike previous such threats, ClickLock adopts something akin to a ransomware or extortion threat model to achieve its ultimate credential-stealing goal. Rather than demand a cryptocurrency payment, however, this attack uses a dialogue-fatigue model that makes the system unusable, grounding the victim’s gears until, the attacker hopes, they submit and enter a valid password in the login prompts that is all that is displayed for days on end, even surviving system reboots.
According to a newly published Group-IB threat intelligence report, the ClickLock stealer script was first observed on June 9, targeting “data from 8 browsers, 31 crypto wallet browser extensions, 7 password manager extensions, 8 desktop wallet applications,” and extracting “blockchain addresses across 6 chains, macOS Keychain, shell history and FTP credentials.” Despite the malware still being under active development, based upon an analysis of code structure and assorted artifacts, the researchers have noted attacks across 33 countries so far, and confirmed at least 100 victims.
As much as I hate to admit it, the attackers’ technique is actually very clever indeed. By very effectively making the target system unstable, with functionality impaired to the point that the computer is unusable, the victim is far more likely to enter their password when apparently legitimate login prompts are presented. Especially as the longer the attack continues, the more stressed that victim will become and so more at risk of complying with the malicious requests.
The mitigation is simple, and the Group-IB researchers have essentially said exactly the same as I have repeated time and time again: “Never paste commands into Terminal from websites, regardless of how the page looks or what it claims to verify.” Remember, no legitimate service requires this, whether that’s on a Windows or Mac!
