Mac Users Beware: Fake Cloudflare CAPTCHAs Deploy Infiniti Stealer Malware
A new and previously undocumented macOS malware, dubbed Infiniti Stealer, is actively targeting users through deceptive Cloudflare human verification pages. This sophisticated threat employs a social engineering technique known as ClickFix, tricking Mac users into executing malicious commands directly on their systems without exploiting any software vulnerabilities.
The Deceptive Tactic
Infiniti Stealer challenges the long-held belief that macOS systems are inherently secure against malware. Initially identified under the internal name NukeChain during routine threat hunting, the malware’s true identity was revealed when the operator’s control panel was inadvertently exposed online. This exposure confirmed an organized and ongoing campaign specifically targeting macOS users.
Analysts at Malwarebytes have identified Infiniti Stealer as the first documented macOS campaign combining ClickFix delivery with a Python-based stealer compiled using Nuitka. The attack initiates when users visit a malicious domain, update-check[.]com, which hosts a convincing replica of a Cloudflare human verification page.
Upon accessing the fake page, users are instructed to open the Terminal application, paste a provided command, and press Return. This seemingly routine verification process triggers the malware’s infection chain without any need for the user to download files or open suspicious attachments. The attack relies entirely on the user’s trust in the fake CAPTCHA, leading to the silent execution of the malicious payload.
Potential Damage
The capabilities of Infiniti Stealer are extensive and concerning. The malware is designed to:
– Harvest login credentials from Chromium-based browsers and Firefox.
– Collect macOS Keychain entries.
– Drain cryptocurrency wallets.
– Capture screenshots during execution.
– Extract plaintext secrets from developer environment files such as `.env`.
All collected data is transmitted to a remote server via HTTP POST requests, with the operator receiving immediate notifications through Telegram once the data upload is complete.
Three-Stage Infection Chain
Once the victim executes the Terminal command, Infiniti Stealer proceeds through a three-stage infection process:
1. Stage One: Bash Dropper Script
The initial stage involves a Bash script that decodes an embedded payload, writes the next stage binary to the `/tmp` folder, removes the macOS quarantine attribute, and executes the file silently using `nohup`. The script then deletes itself and closes the Terminal via AppleScript, ensuring the user remains unaware of the malicious activity.
2. Stage Two: Nuitka Loader Binary
The second stage delivers an Apple Silicon Mach-O binary, approximately 8.6 MB in size, compiled using Nuitka’s onefile mode. Unlike PyInstaller, Nuitka compiles Python source code into C, producing a native binary that complicates static analysis for security tools. At runtime, this loader decompresses around 35 MB of embedded data and hands off execution to the final payload.
3. Stage Three: Python-Based Stealer
The final stage, `UpdateHelper[.]bin`, is a Python 3.11 stealer also compiled with Nuitka. Before initiating data theft, it checks for execution within known analysis environments, terminating if any are detected. This anti-analysis feature helps the malware evade detection by security researchers.
Broader Implications
The emergence of Infiniti Stealer underscores a growing trend of sophisticated social engineering attacks targeting macOS users. Similar campaigns have been observed, such as the ClickFix attack that exploits fake Cloudflare human checks to install malware silently. In this method, users are deceived into executing malicious PowerShell commands under the guise of routine security verifications.
Another notable campaign involved the UNC5518 group, which compromised legitimate websites to inject fake CAPTCHA pages, tricking users into executing malware. These incidents highlight the increasing use of deceptive tactics that exploit user trust in familiar security mechanisms.
Protective Measures
To safeguard against such threats, users should adopt the following practices:
– Exercise Caution with Verification Prompts: Be skeptical of unexpected verification requests, especially those instructing manual command execution.
– Verify Website Authenticity: Ensure the legitimacy of websites before interacting with their content, particularly when prompted to perform actions like opening the Terminal.
– Keep Systems Updated: Regularly update macOS and installed applications to patch known vulnerabilities.
– Use Reputable Security Software: Employ comprehensive security solutions capable of detecting and mitigating such sophisticated threats.
– Educate Yourself and Others: Stay informed about emerging threats and share knowledge to build a more resilient user community.
The advent of Infiniti Stealer serves as a stark reminder that macOS users are not immune to malware. By remaining vigilant and adopting proactive security measures, individuals can significantly reduce the risk of falling victim to such deceptive attacks.
