Atomic Stealer malware abuses macOS Script Editor in new ClickFix attack

A new campaign is delivering the Atomic Stealer malware to macOS users by exploiting the built-in Script Editor application. This method is a variation of the ClickFix attack, which previously tricked users into executing commands in Terminal. The malicious actors are using fake Apple-themed websites that pose as guides to help users reclaim disk space on their Mac computers, according to a recent report by Bleeping Computer.The attackers leverage the applescript:// URL scheme to launch Script Editor with pre-filled malicious code. This code executes an obfuscated command that downloads and runs a script directly in system memory. The script then decodes a payload, downloads a binary, removes security attributes, makes it executable, and runs it. The final payload is Atomic Stealer (AMOS), a malware-as-a-service that targets sensitive data including Keychain information, browser cryptocurrency wallets, passwords, cookies, credit card details, and system information. AMOS has also been updated with a backdoor for persistent access.Apple’s addition of Terminal warnings for ClickFix attacks is a step towards mitigation, but users should exercise extreme caution with prompts from Script Editor and rely on official sources for system troubleshooting to avoid such threats.Source:Bleeping Computer