A newly discovered macOS infostealer employs a uniquely aggressive tactic to steal credentials: it crashes every open application on a victim's system in a rapid, relentless loop until they provide their login password.
According to an analysis from The Hacker News, the malware, dubbed "ClickLock Stealer," eschews complex exploits for a direct psychological attack. Its success depends entirely on the user being socially engineered into the first step.
The attack begins with a familiar lure. A victim is tricked into copying and pasting a command into the Terminal. Once executed, the malware displays a fake system dialog requesting the user's password for a purported routine task. If the user clicks "Cancel," the coercion begins.
In response to the refusal, ClickLock initiates a destructive loop, terminating user applications every 210 milliseconds. This rapid-fire assault creates an immediate usability crisis, hijacking the desktop experience and making normal work impossible. The tactic is designed to exhaust and frustrate the user into complying with the password prompt to stop the disruption.
If the victim cancels the initial prompt, the malware quickly installs two persistent LaunchAgents and exits quietly. Its full payload activates on the next login, where it disables critical system utilities including Finder, the Dock, Spotlight, Terminal, and Activity Monitor. This cripples the system's core management and diagnostic capabilities, complicating remediation.
This approach marks a notable evolution in macOS threats. While traditional infostealers focus on silent data exfiltration and ransomware on encryption, ClickLock introduces a usability-denial model. It blurs the line between a disruptive denial-of-service attack and a social engineering ploy, placing human psychology at the center of its operation.
The incident underscores the growing sophistication of threats targeting macOS as its market share expands. It is a stark reminder that built-in security features like Gatekeeper cannot protect a system when a user is socially engineered into willingly executing malicious code. The malware's success hinges entirely on this initial trick.
For defenders, ClickLock poses new challenges. Standard on-device investigation tools are disabled by the malware, making remediation difficult. While the distinctive, rapid process termination signature could potentially be detected by endpoint tools, the primary defense remains proactive user education.
The attack reinforces that security is a human problem as much as a technical one. Organizations must train users to reject unsolicited requests to execute Terminal commands, emphasizing that legitimate system processes never ask for a password via a pasted command. For Mac users, the lesson is clear: an attacker's most powerful tool may be their own frustration.
新發現的macOS竊密軟件採用一種獨特且激進的策略來竊取登入憑證:它在受害者的系統上以快速、無休止的循環方式崩潰每一個已開啟的應用程式,直至用戶提供其登入密碼。
根據 The Hacker News 的分析,這款被命名為「ClickLock Stealer」的惡意軟件摒棄了複雜的漏洞利用,轉而進行直接的心理攻擊。其成功與否完全取決於用戶是否被社會工程攻擊所引導,執行了第一步操作。
攻擊始於一個常見的誘餌。受害者被誘騙在終端機(Terminal)中複製並貼上一段指令。一旦執行,該惡意軟件會顯示一個偽造的系統對話框,聲稱為了某項常規任務需要用戶輸入密碼。如果用戶點擊「取消」,逼迫過程隨即開始。
作為對拒絕的回應,ClickLock 啟動了一個破壞性的循環,每隔210毫秒終止一次用戶應用程式。這種快速連發的攻擊立即引發了可用性危機,劫持了桌面體驗,使正常工作無法進行。該策略旨在耗盡用戶的耐心並使其感到沮喪,從而屈服於密碼提示以停止干擾。
如果受害者取消了初始提示,該惡意軟件會迅速安裝兩個常駐的 LaunchAgents,然後安靜地退出。其完整的惡意載荷將在下次登入時啟用,屆時它會禁用包括 Finder、Dock、Spotlight、終端機和活動監視器(Activity Monitor)在內的關鍵系統實用程式。這癱瘓了系統的核心管理和診斷能力,使修復工作變得複雜。
這種方法標誌著macOS威脅的一個顯著演變。傳統的竊密軟件專注於靜默的數據外洩,而勒索軟件則著重於加密,ClickLock 則引入了一種「可用性拒絕」模型。它模糊了擾斷性拒絕服務攻擊與社會工程詭計之間的界線,將人類心理置於其運作的核心。
這起事件凸顯了隨著macOS市場份額擴大,針對該系統的威脅日益複雜。它是一個明確的提醒:當用戶被社會工程攻擊所引導,自願執行惡意代碼時,像 Gatekeeper 這樣的內建安全功能無法保護系統。該惡意軟件的成功完全取決於這一初始騙局。
對於防禦者而言,ClickLock 帶來了新的挑戰。標準的本地調查工具會被該惡意軟件禁用,使得修復工作異常困難。儘管其獨特的、快速的程序終止特徵可能被端點工具偵測到,但主要的防禦措施仍然是主動的用戶教育。
這起攻擊再次強調,安全問題既是技術問題,也是人為問題。組織必須訓練用戶拒絕執行未經請求的終端機指令,並強調合法的系統程序從不會要求用戶透過貼上的指令來輸入密碼。對於Mac用戶來說,教訓很明確:攻擊者最強大的工具可能就是用戶自己的挫敗感。
