A brand new info-stealing malware named Infinity Stealer is focusing on macOS methods with a Python payload packaged as an executable utilizing the open-source Nuitka compiler.
The assault makes use of the ClickFix approach, presenting a faux CAPTCHA that mimics Cloudflare’s human verification examine to trick customers into executing malicious code.
Researchers at Malwarebytes say that is the primary documented macOS marketing campaign combining ClickFix supply with a Python-based infostealer compiled utilizing Nuitka.
As a result of Nuitka produces a local binary by compiling the Python script into C code, the ensuing executable is extra immune to static evaluation.
In comparison with PyInstaller, which bundles Python with bytecode, it’s extra evasive as a result of it produces an actual native binary with no apparent bytecode layer, making reverse engineering a lot more durable.
“The ultimate payload is written in Python and compiled with Nuitka, producing a local macOS binary. That makes it more durable to research and detect than typical Python-based malware,” Malwarebystes says.
Assault chain
The assault begins with a ClickFix lure on the area update-check[.]com, posing as a human verification step from Cloudflare and asking the consumer to finish the problem by pasting a base64-obfuscated curl command into the macOS Terminal, bypassing OS-level defenses.
.jpg)
Supply: Malwarebytes
The command decodes a Bash script that writes the stage-2 (Nuitka loader) to /tmp, then removes the quarantine flag, and executes it through ‘nohup.’ Lastly, it passes the command-and-control (C2) and token through surroundings variables after which deletes itself and closes the Terminal window.
The Nuitka loader is an 8.6 MB Mach-O binary that incorporates a 35MB zstd-compressed archive, containing the stage-3 (UpdateHelper.bin), which is the Infinity Stealer malware.
.jpg)
Supply: Malwarebytes
Earlier than beginning to gather delicate knowledge, the malware performs anti-analysis checks to find out whether or not it’s working in a virtualized/sandboxed surroundings.
Malwarebytes’ evaluation of the Python 3.11 payload uncovered that the info-stealer can take screenshots and harvest the next knowledge:
- Credentials from Chromium‑primarily based browsers and Firefox
- macOS Keychain entries
- Cryptocurrency wallets
- Plaintext secrets and techniques in developer information, corresponding to .env
All stolen knowledge is exfiltrated through HTTP POST requests to the C2, and a Telegram notification is distributed to the risk actors upon completion of the operation.
Malwarebytes underlines that the looks of malware like Infinity Stealer is proof that threats to macOS customers are solely getting extra superior and focused.
Customers ought to by no means paste into Terminal instructions they discover on-line and don’t absolutely perceive.
Automated pentesting proves the trail exists. BAS proves whether or not your controls cease it. Most groups run one with out the opposite.
This whitepaper maps six validation surfaces, exhibits the place protection ends, and supplies practitioners with three diagnostic questions for any software analysis.
