Akshat200008/macOS-ClickFix-Malware-Analysis
GitHub: Akshat200008/macOS-ClickFix-Malware-Analysis
Stars: 0 | Forks: 0
# 🕵️♂️ End-to-End Digital Forensics Report: macOS Infostealer Analysis
## 📖 Executive Summary
**NOTE** : All the research and study was done with the help of AI chatbot (Gemini) but most of the effors are of my own ,I used this chatbot for the purpose of double checking and explanation of terms that I was not aware of.
## 🛠️ Project Environment & Methodology
* **Analysis Tool:** Wireshark v4.x
* **Analysis Environment:** macOS
* **Investigation Scope:** Complete lifecycle analysis from initial web request to data exfiltration and Command and Control (C2) beaconing.
## 📅 Project Phase Breakdown
### Phase 1: Data Acquisition
To ensure safety and access to realistic threat behavior, a public malware packet capture was acquired for analysis. This was done becaue chances of a real threat actor to attacking my mac are very low and that is very time consuming that is why I chose to work with resouces available online.
1. **Source Websit:** `Malware-Traffic-Analysis.net`
**Source of SS : malware-traffic-analysis.net**
2. **Exercise Selected:** *GOOGLE AD FOR CLAUDE LEADS TO MACOS MALWARE INFECTION*
3. **Download Process:**
* Downloaded the secure archive file: `2026-05-11-macOS-malware-infection-traffic.pcap.zip`
* Extracted the encrypted payload using the industry-standard repository password: `infected`
4. **Environment Initialization:** Opened the extracted `.pcap` file within Wireshark to begin packet decoding.
While persorming these steps I was very scared as this is my first project and I had never worked with a malware before, as these file might contain traces of malware in it which might put my data at risk, on top of that I was doing all that on my primary device and not on VM make me feel more cautious about it.
⚠️**NOTE** : While working with these type of file be mindfull and cautious as they might contain bits of malicious code
### Phase 2: High-Level Triage
Before conducting a packet-by-packet analysis, a macro-level triage was performed to evaluate the traffic composition and locate anomalies.The filter that was used is:
http.request or tls.handshake.type == 1
this filter tells Wireshark: "Only show me the letters where the computer is asking to look at a website, whether it is an insecure HTTP site or a secure HTTPS site."
* **Protocol Hierarchy Tool (`Statistics > Protocol Hierarchy`):** Analyzed the baseline distribution of protocols. A significant amount of unencrypted plain-text Hypertext Transfer Protocol (HTTP) traffic was flagged for closer inspection, which is highly unusual for normal modern web browsing.
* **Network Conversations Tool (`Statistics > Conversations`):** Sorted network traffic by volume and frequency. Identified two primary external IP addresses interacting heavily with the internal victim machine (`10.5.11.101`):
* `165.245.215.18`
* `94.232.249.129`
### Phase 3: Deep-Dive Analysis & Technical Findings
Using custom Wireshark display filters, the traffic streams were isolated to reconstruct the timeline of the compromise.
#### 1. The Infection Vector (ClickFix execution)
Filtering for plain text requests using the filter below exposed the mechanics of the payload deployment:
http.request
By analyzing the raw packet bytes of the initial connections, the User-Agent string was inspected. Instead of a standard web browser (like Safari or Chrome), the request was initiated by:
User-Agent: curl /8.7.1
This was fond in the info part of packet 19335.
curl is a command-line tool used in the macOS Terminal. This proves that the traffic was generated by a script running in the Terminal, perfectly matching the **"ClickFix"** trick where the victim was fooled into pasting a bad command!
#### 2. Live Data Exfiltration
The infostealer actively harvested and transmitted local host data directly to the attacker. The malicious script transmitted raw data to `165.245.215.18` utilizing unencrypted HTTP `POST` requests.
The cleartext parameters captured in the `Info` column explicitly map out the modular data theft stages:
* `stage=boot (Host profiling)`
* `stage=init_session (Session establishment)`
* `stage=messengers (Targeting locally saved chat data)`
* `stage=credentials (Targeting system passwords and Keychain files)`
* `stage=browsers (Targeting saved autofills, cookies, and history)`
* `stage=wallets (Targeting local cryptocurrency wallet extensions)`
### 3. Command and Control (C2) Beaconing
Following the data exfiltration, the infected machine established a continuous beaconing connection to a secondary C2 server at `94.232.249.129`, utilizing repeated HTTP `GET` requests to `/api/tasks/...` to request further malicious instructions.
## 🚨 Indicators of Compromise (IoCs)
The following forensic artifacts were extracted from the packet capture and can be used to build detection rules (SIEM/Firewall) to identify this threat across an enterprise network:
| Artifact Type | Value / Indicator | Context |
| :--- | :--- | :--- |
| **Victim IP** | `10.5.11.101` | Compromised macOS Client |
| **Malicious Destination IP** | `165.245.215.18` | Data Exfiltration End-Point |
| **Malicious Destination IP** | `94.232.249.129` | Command & Control (C2) Server |
| **Observed User-Agent** | `curl /8.7.1` | Non-browser terminal activity |
| **Malicious URI Patterns** | `/api/metrics/run?event=*&stage=*` | Infostealer staging traffic |
## 🛡️ Remediation & Strategic Prevention
Based on the forensic evidence collected during this incident investigation, the following defense-in-depth actions are recommended:
### Immediate Incident Response (Containment & Eradication)
1. **Network Isolation:** Disconnect the compromised macOS device (`10.5.11.101`) immediately from local networks and Wi-Fi to stop ongoing C2 communication or potential lateral movement.
2. **Hard Perimeter Blocks:** Implement immediate firewall rules blocking all inbound and outbound traffic to `165.245.215.18` and `94.232.249.129`.
3. **Full System Eradication:** Because this malware requests deep access during execution to scrape keychains and wallets, standard deletion is insufficient. The endpoint must be securely wiped, and a clean installation of macOS must be performed.
4. **Credential Revocation:** Force an immediate global password reset for all user corporate, personal, and browser-stored accounts. Invalidate session cookies across all active platforms, and rotate any cryptocurrency keys stored on the system.
### Long-Term Security Hardening (Prevention)
**Source of SS : malware-traffic-analysis.net**
2. **Exercise Selected:** *GOOGLE AD FOR CLAUDE LEADS TO MACOS MALWARE INFECTION*
3. **Download Process:**
* Downloaded the secure archive file: `2026-05-11-macOS-malware-infection-traffic.pcap.zip`
* Extracted the encrypted payload using the industry-standard repository password: `infected`
4. **Environment Initialization:** Opened the extracted `.pcap` file within Wireshark to begin packet decoding.
While persorming these steps I was very scared as this is my first project and I had never worked with a malware before, as these file might contain traces of malware in it which might put my data at risk, on top of that I was doing all that on my primary device and not on VM make me feel more cautious about it.
⚠️**NOTE** : While working with these type of file be mindfull and cautious as they might contain bits of malicious code
### Phase 2: High-Level Triage
Before conducting a packet-by-packet analysis, a macro-level triage was performed to evaluate the traffic composition and locate anomalies.The filter that was used is:
http.request or tls.handshake.type == 1
this filter tells Wireshark: "Only show me the letters where the computer is asking to look at a website, whether it is an insecure HTTP site or a secure HTTPS site."
* **Protocol Hierarchy Tool (`Statistics > Protocol Hierarchy`):** Analyzed the baseline distribution of protocols. A significant amount of unencrypted plain-text Hypertext Transfer Protocol (HTTP) traffic was flagged for closer inspection, which is highly unusual for normal modern web browsing.
* **Network Conversations Tool (`Statistics > Conversations`):** Sorted network traffic by volume and frequency. Identified two primary external IP addresses interacting heavily with the internal victim machine (`10.5.11.101`):
* `165.245.215.18`
* `94.232.249.129`
### Phase 3: Deep-Dive Analysis & Technical Findings
Using custom Wireshark display filters, the traffic streams were isolated to reconstruct the timeline of the compromise.
#### 1. The Infection Vector (ClickFix execution)
Filtering for plain text requests using the filter below exposed the mechanics of the payload deployment:
http.request
By analyzing the raw packet bytes of the initial connections, the User-Agent string was inspected. Instead of a standard web browser (like Safari or Chrome), the request was initiated by:
User-Agent: curl /8.7.1
This was fond in the info part of packet 19335.
curl is a command-line tool used in the macOS Terminal. This proves that the traffic was generated by a script running in the Terminal, perfectly matching the **"ClickFix"** trick where the victim was fooled into pasting a bad command!
#### 2. Live Data Exfiltration
The infostealer actively harvested and transmitted local host data directly to the attacker. The malicious script transmitted raw data to `165.245.215.18` utilizing unencrypted HTTP `POST` requests.
The cleartext parameters captured in the `Info` column explicitly map out the modular data theft stages:
* `stage=boot (Host profiling)`
* `stage=init_session (Session establishment)`
* `stage=messengers (Targeting locally saved chat data)`
* `stage=credentials (Targeting system passwords and Keychain files)`
* `stage=browsers (Targeting saved autofills, cookies, and history)`
* `stage=wallets (Targeting local cryptocurrency wallet extensions)`
### 3. Command and Control (C2) Beaconing
Following the data exfiltration, the infected machine established a continuous beaconing connection to a secondary C2 server at `94.232.249.129`, utilizing repeated HTTP `GET` requests to `/api/tasks/...` to request further malicious instructions.
## 🚨 Indicators of Compromise (IoCs)
The following forensic artifacts were extracted from the packet capture and can be used to build detection rules (SIEM/Firewall) to identify this threat across an enterprise network:
| Artifact Type | Value / Indicator | Context |
| :--- | :--- | :--- |
| **Victim IP** | `10.5.11.101` | Compromised macOS Client |
| **Malicious Destination IP** | `165.245.215.18` | Data Exfiltration End-Point |
| **Malicious Destination IP** | `94.232.249.129` | Command & Control (C2) Server |
| **Observed User-Agent** | `curl /8.7.1` | Non-browser terminal activity |
| **Malicious URI Patterns** | `/api/metrics/run?event=*&stage=*` | Infostealer staging traffic |
## 🛡️ Remediation & Strategic Prevention
Based on the forensic evidence collected during this incident investigation, the following defense-in-depth actions are recommended:
### Immediate Incident Response (Containment & Eradication)
1. **Network Isolation:** Disconnect the compromised macOS device (`10.5.11.101`) immediately from local networks and Wi-Fi to stop ongoing C2 communication or potential lateral movement.
2. **Hard Perimeter Blocks:** Implement immediate firewall rules blocking all inbound and outbound traffic to `165.245.215.18` and `94.232.249.129`.
3. **Full System Eradication:** Because this malware requests deep access during execution to scrape keychains and wallets, standard deletion is insufficient. The endpoint must be securely wiped, and a clean installation of macOS must be performed.
4. **Credential Revocation:** Force an immediate global password reset for all user corporate, personal, and browser-stored accounts. Invalidate session cookies across all active platforms, and rotate any cryptocurrency keys stored on the system.
### Long-Term Security Hardening (Prevention)