208. Hunting for ClickFix on macOS
Hello everyone!
You think that ClickFix technique is used only to attack Windows-based systems? It's not true. The adversaries also use it to attack macOS!
Hunt.io shared a report on a recent phishing campaing targeting macOS users. The adversary leveraged fake CAPTCHA to trick victims to run Terminal commands.
According to the report, the pasted command typically starts with:
echo 'BASE64_ENCODED_PAYLOAD' | base64 -d | bash
So, we can use it to build a query for our hunting mission:
event_type: "processcreatemac"
AND
cmdline: ("echo" AND "base64" AND "bash")
The command runs a hidden script that can steal crypto wallets, cookies, and sensitive files.
See you tomorrow!
Comments
Post a Comment