Jamf Threat Labs, a team of Mac and mobile security experts, have identified a new ClickFix-style attack that ditches the typical Terminal-based execution entry point for such attacks.
While the usual approach for ClickFix techniques is to convince users to copy and paste malicious commands into Terminal under the guise of troubleshooting or routine system maintenance, This malware uses the macOS Script Editor as the execution point for its final payload. This ClickFix campaign is invoked via a URL scheme.
The discovered variant uses a browser-triggered workflow to launch Script Editor. Users are shown an Apple-themed webpage claiming to help “reclaim disk space on your Mac,” by following step-by-step instructions that appear consistent with legitimate system maintenance guidance. When the user clicks the provided “Execute” button, the page triggers the next stage of the workflow.
The key difference lies in how execution is initiated:
- The page leverages an applescript:// URL scheme
- Clicking the “Execute” button invokes this URL scheme from the browser
- The browser prompts the user to allow Script Editor to open
- Once opened, a pre-filled script is presented for execution
The approach reduces direct user interaction, as it doesn’t require the user to enter commands in Terminal.
Inspection of the underlying webpage reveals that this behavior is triggered via an embedded applescript:// URL scheme, which is used to launch Script Editor directly from the browser.
For more information about the attack, read the Jamf Threat Labs blog entry here.
