- SentinelOne reveals new SHub macOS infostealer variant called Reaper, spread via typosquatted WeChat and Miro domains
- The malware disguises itself with fake Apple and Google update components, establishing persistence and backdoor access
- Reaper targets browser credentials, crypto wallets, password managers and sensitive documents with signs of Russian-speaking operators avoiding CIS systems
Cyber security researchers from SentinelOne have discovered a new variant of the infamous SHub macOS infostealer malware called ‘Reaper’.
In a new report, SentinelOne said it observed typosquatted domains spoofing popular apps WeChat (a popular Chinese messaging and social media app) and Miro (an online visual collaboration and whiteboard platform).
Victims using macOS who want to install these apps will trigger an infection chain that constantly changes its disguise to make the malware look legitimate in all attack phases. After launching the script, it will display a fake update message referring to Apple’s XProtectRemediator security tool, and after infecting the system, it will establish persistence by creating files and folders designed to look like a genuine Google software update component.
Avoid the Russians
It will hide a backdoor in a fake “GoogleUpdate” folder and register a LaunchAgent named “com.google.keystone.agent.plist,” the researchers said.
The goal of the campaign is to steal credentials and sensitive files as well as cryptocurrency wallets. While SentinelOne did not attribute the attack to any specific group or threat actor, it said there were several hints that the operators may be Russian-speaking (or at least trying to avoid targets in former Soviet states).
The malware checks if the infected system uses Russian input sources and terminates if it detects systems in the Commonwealth of Independent States (CIS) region. SentinelOne also said that when they tried to bypass the malware’s anti-analysis protection, a fake website displayed a Russian “Access Denied” message.
The Reaper variant primarily targets web browsers, cryptocurrency wallets, and applications that may contain financial or business-related data, stealing browser credentials, crypto wallet data, login keychains, Telegram session data, and documents from the Desktop and Documents folders.
It also searches for browser extensions associated with password managers such as 1Password, Bitwarden and LastPass, along with cryptocurrency wallets such as MetaMask and Phantom.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
