New Mac Malware Threat: ClickFix Lures Used for Data Theft on macOS Devices

Post Views: 1

The Rise of Sophisticated Malware on Mac Systems

Retailers have spotted a new type of malware known as Infinity Stealer that specifically targets Mac systems through a unique tactic named ClickFix. This method involves displaying a phony CAPTCHA on a website called update-check[.]com that imitates Cloudflare’s human validation procedure, tricking users into executing malevolent code.

Tactics Used by Infinity Stealer Malware

Pretending to be a legitimate website: update-check[.]com
Mimicking Cloudflare’s human verification process
Displaying a CAPTCHA that requires users to paste a base64-obfuscated command into their terminal
Bypassing operating system-level defenses

How the Malware Operates

The malware attack starts when unsuspecting users visit the fake website. They are then prompted to complete a challenge by pasting a command into their terminal. This command decodes a Bash script that writes a loader to /tmp, removes the quarantine flag, and executes it via nohup.

According to researchers, “the loader is an 8.6 MB Mach-O binary that contains a compressed archive containing the actual malware payload, UpdateHelper.bin, which is the Infinity Stealer malware.”

What Data Does the Malware Collect?

Credentials from Chromium and Firefox browsers
macOS Keychain entries
Cryptocurrency wallets
Plaintext secrets stored in developer files

How Does the Malware Exfiltrate Data?

The stolen data is exfiltrated via HTTP POST requests to a command-and-control server, with a subsequent notification sent to the attackers via Telegram.

Security Measures to Take

As a result of the emergence of Infinity Stealer, security-conscious individuals are advised against pasting unknown commands into their terminals, as this could lead to severe consequences. It is crucial for users to remain vigilant and implement robust security measures to protect themselves against these evolving threats.