Mac Users Warned of Malicious Troubleshooting Guides Spreading Malware

Researchers have discovered a series of fake macOS troubleshooting guides posted on Medium, Craft, and Squarespace that install malware targeting sensitive data.

The campaign uses a technique called ClickFix, which involves users running Terminal commands to download and execute malicious code. This method bypasses macOS Gatekeeper's security checks, allowing the malware to infect devices without being detected.

Microsoft's Defender Security Research Team has identified three malware families involved in the attacks: AMOS, Macsync, and SHub Stealer. These families harvest sensitive data, including iCloud and Telegram account information, private documents and photos, and crypto wallet keys from Exodus, Ledger, and Trezor.

The malware also seeks to extract saved usernames and passwords from Chrome and Firefox browsers. In some cases, attackers have been found to delete legitimate crypto wallet apps and replace them with trojanized versions designed to monitor transactions and steal funds.