SHub macOS infostealer variant spoofs Apple security updates

A brand new variant of the “SHub” macOS infostealer makes use of AppleScript to show faux safety replace messages and set up a backdoor.

This new model, known as Reaper, steals delicate browser information, collects paperwork and information that will include monetary particulars, and hijacks cryptocurrency pockets apps.

Not like earlier SHub campaigns that relied on the “ClickFix” tactic to trick customers into pasting and operating instructions in Terminal, Reaper depends on the applescript:// URL scheme to launch the macOS script editor preloaded with malicious AppleScript.

This strategy bypasses a terminal-based mitigation that Apple launched in late March with macOS Tahoe 26.4 that blocks the pasting and execution of probably dangerous instructions.

SentinelOne researchers have recognized a brand new SHub infostealer variant that lures customers with faux installers for WeChat and Miro functions hosted on domains made to look professional to inexperienced customers (e.g., qq-0732gwh22(.)com, mlcrosoft(.)co(.)com, mlroweb(.)com).

At the moment, faux QQ and Microsoft domains nonetheless serve faux WeChat installers, however installers impersonating Miro visible collaboration platform are redirected to professional web sites.

BleepingComputer seen that the Home windows and Android obtain buttons provide the identical executable file hosted in a Dropbox account.

Earlier than calling AppleScript, the malicious web site fingerprints the customer’s system and checks the digital machine and VPN. This exhibits the analytics machine and should enumerate put in browser extensions for password managers and cryptocurrency wallets. All telemetry information is delivered to the attacker through the Telegram bot.

SentinelOne’s report at the moment notes that the script containing the command to retrieve the payload is dynamically constructed and hidden beneath ASCII artwork.

As soon as the sufferer clicks ‘Run’, the script shows a faux Apple safety replace message that references XProtectRemediator, downloads a shell script utilizing ‘curl’, and runs it silently through ‘zsh’.

Earlier than deploying the information theft logic, the malware performs a system verify to see if the sufferer is utilizing a Russian keyboard/enter, and if there’s a match, it studies a “cis_blocked” occasion to the command and management (C2) server and exits with out infecting the system.

If the host shouldn’t be Russian, Reaper makes use of the osascript command-line device constructed into macOS to retrieve and execute a malicious AppleScript containing information theft routines.

When launched, customers can be prompted to enter their macOS password. This password can be utilized to entry keychain gadgets, decrypt credentials, and entry protected information. Infostealers then goal:

• Browser information for Google Chrome, Mozilla Firefox, Courageous, Microsoft Edge, Opera, Vivaldi, Arc, Orion
• Browser extensions for cryptocurrency wallets resembling MetaMask and Phantom
• Browser extensions for password managers resembling 1Password, Bitwarden, and LastPass
• Desktop cryptocurrency pockets functions resembling Exodus, Atomic Pockets, Ledger Reside, Electrum, and Trezor Suite
• iCloud account information
• Telegram session information
• Developer-related configuration information

Reaper additionally features a “Filegrabber” module that searches desktop and doc folders for file sorts that will include delicate info. Information to be collected have to be lower than 2MB, as much as 6MB for PNG picture information, and the entire dimension restrict is ready to 150MB.

If current, it hijacks the pockets software by terminating its course of and changing the professional core software information with a malicious file known as app.asar that’s downloaded from a command and management (C2) server.

To keep away from Gatekeeper alerts, SHub Reaper malware “clears quarantine attributes” xattr -cr and use For this function “Code signing for modified software bundles,” the researchers defined.

SentinelOne warns that malware establishes persistence by putting in a script that spoofs Google software program updates and registers utilizing LaunchAgent. This script runs each minute and acts as a beacon to ship system info to the C2.

As soon as the script receives the payload, it will possibly decode it, run it within the context of the present consumer, and delete information, probably giving the attacker prolonged entry to the machine.

SentinelOne highlights that SHub operators could increase the infostealer’s capabilities to incorporate distant entry to compromised units and ship extra malware.

Researchers offered a set of indicators of compromise to assist defend defenders from malicious habits related to the brand new SHub Reaper infostealer variant.

SentinelOne recommends monitoring for suspicious outbound visitors after operating the script editor, or new LaunchAgents and associated information within the trusted vendor namespace.