A sophisticated fresh malware strain, dubbed Infinity Stealer, is targeting macOS users, employing a novel combination of techniques to steal sensitive data. The malware, which utilizes a Python-based payload compiled with the Nuitka compiler, is delivered through a deceptive tactic known as “ClickFix,” tricking users into executing malicious code disguised as a standard CAPTCHA challenge. This represents a significant escalation in the threat landscape for Apple’s operating system, according to security researchers.
The emergence of Infinity Stealer highlights a growing trend of increasingly complex and evasive malware targeting macOS. While historically considered more secure than other operating systems, macOS has seen a rise in targeted attacks in recent years. This particular campaign is notable for its use of ClickFix, a relatively new delivery method, coupled with the obfuscation benefits of Nuitka, making detection and analysis considerably more difficult. Understanding how this malware operates is crucial for users to protect their data and systems.
How Infinity Stealer Works: A Multi-Stage Attack
The attack begins with a lure hosted on the domain update-check[.]com, designed to mimic a Cloudflare human verification step. Users are presented with what appears to be a CAPTCHA challenge, but instead of a typical image selection task, they are prompted to paste a base64-obfuscated curl command into the macOS Terminal. This seemingly innocuous action bypasses standard operating system security measures and initiates the malware’s installation process.
Source: Malwarebytes
Once executed, the curl command decodes a Bash script that downloads and executes the next stage of the attack – a Nuitka loader – to the /tmp directory. This loader, an 8.6 MB Mach-O binary, contains a compressed archive holding the core Infinity Stealer malware, named UpdateHelper.bin. The script also removes the quarantine flag, allowing the malicious code to run without prompting, and utilizes ‘nohup’ to ensure the process continues even after the Terminal window is closed. Crucially, the command-and-control (C2) server address and a unique token are passed via environment variables, further obscuring the malware’s activity.
Nuitka: A Key Component of Evasion
A significant aspect of Infinity Stealer’s design is its use of Nuitka, an open-source Python compiler. Unlike tools like PyInstaller, which bundle Python bytecode with the executable, Nuitka compiles the Python script directly into C code, resulting in a native macOS binary. This approach makes the malware significantly more resistant to static analysis, a common technique used by security researchers to understand malware behavior.
.jpg)
Source: Malwarebytes
As Malwarebytes researchers noted, “The final payload is written in Python and compiled with Nuitka, producing a native macOS binary. That makes it harder to analyze and detect than typical Python-based malware.”
What Data Does Infinity Stealer Steal?
Once deployed, Infinity Stealer performs anti-analysis checks to determine if it’s running in a virtualized or sandboxed environment, attempting to evade detection. If it determines it’s operating in a legitimate environment, the malware begins collecting a wide range of sensitive data. This includes:
- Credentials stored in Chromium-based browsers (like Chrome, Edge, and Brave) and Firefox
- Entries from the macOS Keychain, which stores passwords, certificates, and other sensitive information
- Cryptocurrency wallet data
- Plaintext secrets found in developer files, such as .env files often used in software development
The stolen data is then exfiltrated to the C2 server via HTTP POST requests. Upon successful completion of the data theft, the malware sends a notification to the attackers via Telegram, confirming a successful breach.
Protecting Yourself from Infinity Stealer
The researchers at Malwarebytes emphasize that the appearance of Infinity Stealer underscores the increasing sophistication of threats targeting macOS users. The most critical preventative measure is to exercise extreme caution when encountering commands or requests to paste code into the Terminal. Users should never execute commands they don’t fully understand, especially those obtained from untrusted sources.
Beyond this, maintaining up-to-date security software, including antivirus and anti-malware solutions, is essential. Regularly updating macOS itself ensures that the latest security patches are applied, mitigating known vulnerabilities. Practicing good cybersecurity hygiene, such as using strong, unique passwords and enabling two-factor authentication where available, can also significantly reduce the risk of compromise.
The threat landscape is constantly evolving, and this new campaign demonstrates the need for vigilance. Security researchers continue to monitor Infinity Stealer and its variants, and further updates will likely emerge as analysis progresses. Users should stay informed about the latest threats and best practices for protecting their systems and data. For more information and updates on this threat, refer to the Malwarebytes threat intelligence report.
As security firms continue to analyze Infinity Stealer, the next key development will likely be the release of updated detection signatures and mitigation strategies. Staying informed through reputable security blogs and advisories is crucial for maintaining a strong security posture. Share this information with your network to assist others stay safe online.
