A newly identified malware known as Infiniti Stealer is posing a significant threat to macOS users by tricking them through counterfeit Cloudflare CAPTCHA pages. This sophisticated attack bypasses traditional software vulnerabilities, directly convincing users to execute malicious commands on their systems.
Understanding the Infiniti Stealer Threat
Infiniti Stealer employs a social engineering tactic called ClickFix, which is designed to deceive users into executing harmful commands without exploiting any software flaws. The malware, initially detected under the codename NukeChain, confronts the common belief that macOS is impervious to such threats. The malware came to wider attention when its control panel was inadvertently exposed online, revealing its true identity and confirming a targeted campaign against macOS users.
How the Attack is Carried Out
The attack initiates from a malicious domain, update-check[.]com, which replicates a Cloudflare verification page. Users visiting this site are instructed to open Terminal and input a specific command, unknowingly setting off the infection sequence. This method is particularly dangerous as it does not involve downloading files or opening phishing attachments, relying entirely on user trust in the fake CAPTCHA.
Once the command is executed, the malware operates stealthily, leaving no immediate signs of compromise. Its capabilities include harvesting credentials, collecting sensitive information, and sending data to a remote server, all while notifying the operator via Telegram.
Stages of the Malware Execution
Infiniti Stealer unfolds in three stages. Initially, a Bash dropper script decodes and executes the primary payload, concealing its actions from the user. The second stage involves an Apple Silicon Mach-O binary created with Nuitka, which complicates static analysis by security tools. Lastly, the Python-based final payload, UpdateHelper[.]bin, conducts the data theft while evading detection in analysis environments.
Victims are advised to cease sensitive activities on compromised devices, change passwords, and revoke active sessions. Conducting a full security scan is essential to ensure any remnants of the malware are removed.
Protecting Against Fake CAPTCHA Attacks
Users should be cautious of any site requesting Terminal commands as part of a CAPTCHA process. Such requests are illegitimate and should be closed immediately to prevent potential malware infection. Staying informed and vigilant is crucial in safeguarding against these evolving cyber threats.
For more updates on cybersecurity threats, follow us on Google News, LinkedIn, and X. Set CSN as a preferred source in Google for instant updates.
