Infiniti Stealer - New Malware Targets macOS Users via CAPTCHA

What Happened

A new malware named Infiniti Stealer is making waves in the cybersecurity world, specifically targeting macOS users. This malware operates through fake Cloudflare CAPTCHA pages, deceiving users into executing malicious commands on their own devices. Unlike traditional malware that exploits software vulnerabilities, Infiniti Stealer relies on social engineering tactics, specifically a method known as ClickFix. This approach allows attackers to bypass the need for any software flaw or exploit, making it particularly dangerous.

The malware was first identified under the internal name NukeChain during routine threat hunting. Its operator control panel was inadvertently exposed online, revealing its true identity and confirming that this is part of a larger, ongoing campaign aimed at macOS users. Analysts from Malwarebytes have flagged this as the first documented macOS campaign that utilizes ClickFix delivery combined with a Nuitka-compiled Python stealer.

Who's Being Targeted

Infiniti Stealer specifically targets macOS users, who have long believed their systems to be resistant to malware attacks. This assumption is now being challenged as the malware effectively harvests sensitive information without needing to download any malicious files or rely on phishing tactics. The attack begins at a malicious domain, update-check[.]com, where unsuspecting visitors encounter a near-perfect replica of a legitimate Cloudflare human verification page.

Once on this fake page, users are prompted to open their Terminal application, paste a provided command, and press Return. This seemingly innocuous action triggers the entire infection chain, making it easy for the malware to slip past the user's defenses.

Signs of Infection

The damage potential of Infiniti Stealer is extensive. Once executed, it can harvest login credentials from popular browsers like Chrome and Firefox, collect entries from the macOS Keychain, drain cryptocurrency wallets, and even take screenshots during execution. The malware operates silently, sending collected data to a remote server via HTTP POST requests. Victims may not even realize they have been compromised until it's too late.

The infection process unfolds in three stages. The first stage involves a Bash dropper script that decodes an embedded payload and executes it without alerting the user. The second stage delivers a Mach-O binary designed to evade detection, while the final stage runs a Python stealer that checks for analysis environments to avoid being caught by security tools.

How to Protect Yourself

If you suspect that you may have been affected by Infiniti Stealer, it is crucial to take immediate action. Here are steps to mitigate potential damage:

• Stop using the device for sensitive activities, including banking or accessing work accounts.
• Change passwords from a clean device, starting with your email, Apple ID, and banking credentials.
• Revoke active sessions and invalidate any API tokens or SSH keys.
• Check for unusual files in directories like /tmp and ~/Library/LaunchAgents/.
• Run a full security scan to detect and remove any remaining malware.

Remember, no legitimate CAPTCHA page will ever ask you to open Terminal and run a command. If you encounter such a request, close the page immediately to protect yourself from potential threats.