ClickLock: The New Era of Forced Password Harvesting
A new macOS malware, ClickLock, isn’t interested in exploiting zero-days; it targets the human element. This threat forces users to willingly reveal their system login passwords through sophisticated social engineering loops.
Researchers at Group-IB uncovered how this malware operates, demonstrating that even seemingly secure operating systems remain vulnerable when user interaction is weaponized against them.
The Coercion Mechanism
ClickLock bypasses traditional exploit detection by relying entirely on forcing the victim to act. It doesn’t need complex vulnerabilities; it just needs a convincing prompt.
The attack begins with a lure, often mimicking legitimate services like Cloudflare verification. This triggers a fake progress bar in the Terminal, masking the malicious activity.
Forcing Interaction
The malware achieves its goal by manipulating system processes directly. It disables keyboard interrupts and hides the terminal cursor to prevent any user intervention.
The core mechanism involves a relentless termination loop. ClickLock repeatedly terminates key applications—Finder, Dock, Terminal, and System Settings—every 210 milliseconds. This forces the user into a cycle where the only way forward is to comply with a fake password dialog.
This coercive loop can last for hours, or even days, depending on persistence settings. It functions by presenting a system prompt that looks real, tricking the victim into inputting their macOS credentials directly to the malware before the system recovers.
Massive Data Exfiltration
Once the initial credentials are obtained, ClickLock shifts immediately to mass data harvesting. The threat is not just credential theft; it’s a deep dive into the user’s digital life.
What Gets Stolen
- Authentication Data: Login credentials and macOS authentication tokens.
- Credential Vaults: Saved passwords, cookies, autofill data, and password-manager extensions from browsers like Chrome, Firefox, and Edge.
- Crypto Assets: Cryptocurrency wallet extensions, desktop wallets, and cached addresses across major chains (Bitcoin, Solana, Stacks).
- System Intel: Shell histories, FileZilla FTP configurations, and the public IP address.
The harvested data is packaged into ZIP archives and exfiltrated via Telegram Bot API. This volume of stolen information—including encrypted vault material—makes recovery exponentially harder for the victim.
Persistence and Evasion
The malware ensures long-term access through a multi-layered persistence strategy. While many modules self-delete after execution, one component is designed to haunt the system.
The Backdoor
The GSocket module acts as the persistent backdoor. Unlike other components that vanish, this module establishes communication via a relay, allowing attackers to open reverse shells and gain remote control over the infected machine.
Persistence is maintained through multiple methods:
- LaunchAgents: Two malicious LaunchAgents are deployed to ensure re-execution upon every system login.
- Shell Modification: Changes to shell configuration files lock in access at a deeper level.
The Takeaway
ClickLock exposes a dangerous reality: the weakest link in system security isn’t often a complex zero-day exploit, but the user’s willingness to engage with a convincing prompt.
Security teams must shift focus from merely detecting known exploits to monitoring behavioral anomalies—such as rapid process termination and unusual API calls—that signal this type of social engineering attack is underway. If you see a request to open the Terminal or enter credentials under pressure, treat it as an immediate compromise.