- SentinelOne discovers a new variant of the macOS information stealer SHub called Reaper, spread via typosquatted WeChat and Miro domains
- The malware disguises itself with fake Apple and Google update components, establishing persistence and backdoor access.
- Reaper targets browser credentials, crypto wallets, password managers and sensitive documents, with signs that Russian-speaking operators are avoiding CIS systems
Cybersecurity researchers at SentinelOne have discovered a new variant of the popular SHub macOS infostealer malware called “Reaper.”
In a new report, SentinelOne said it observed typosquatted domains spoofing popular apps WeChat (a popular Chinese messaging and social media app) and Miro (an online visual collaboration and whiteboarding platform).
Victims using macOS and seeking to install these applications will trigger an infection chain that constantly changes disguise to make the malware appear legitimate at each stage of the attack. After running the script, it will display a fake update message referencing Apple’s XProtectRemediator security tool, and after infecting the system, it will establish persistence by creating files and folders designed to look like a real software update component from Google.
Avoid the Russians
It will store a backdoor in a fake “GoogleUpdate” directory and register a LaunchAgent named “com.google.keystone.agent.plist,” the researchers said.
The aim of the campaign is to steal credentials and sensitive files, as well as cryptocurrency wallets. While SentinelOne did not attribute the attack to any specific threat group or actor, it said there were several clues suggesting the operators may be Russian-speaking (or, at least, trying to avoid targets in former Soviet states).
The malware checks if the infected system uses Russian input sources and shuts down if it detects systems in the CIS (Commonwealth of Independent States) region. SentinelOne also said that when they tried to bypass the malware’s anti-scan protection, a fake website displayed a Russian “Access Denied” message.
The Reaper variant primarily targets web browsers, cryptocurrency wallets, and applications that may contain financial or business data, stealing browser credentials, cryptocurrency wallet data, login keychains, Telegram session data, and documents from Desktop and Documents folders.
It also searches for browser extensions related to password managers like 1Password, Bitwarden, and LastPass, as well as cryptocurrency wallets like MetaMask and Phantom.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
