- Fake CleanMyMac utility spreads SHub infostealer
- Attack tricks users into pasting terminal commands
- Malware steals credentials, crypto, and persists via backdoor
A fake utility program for macOs is tricking users into installing an infostealer malware which exfiltrates passwords, sensitive files, and even money, experts have warned.
Security researchers Malwarebytes said the program was a part of a wider, highly sophisticated campaign which also included a custom website, reputable brand spoofing, a loader, and the good old ClickFix approach.
The researchers said the campaign spoofed CleanMyMac, a legitimate mac optimization program built by MacPaw, creating an almost identical website on the cleanmymacos[DOT]org domain, which makes it easy for people to mistake it for the real one. However, instead of simply downloading and running an installer, the victims are asked to open a terminal and paste a command that fetches the payload from a third-party server.
Article continues below
Stealing files and establishing persistence
“Instead of exploiting a vulnerability, it tricks the user into running the malware themselves,” Malwarebytes explained. “Because the command is executed voluntarily, protections such as Gatekeeper, notarization checks, and XProtect offer little protection once the user pastes the command and presses Return.”
The malware being installed this way is called SHub, and during installation, it will ask the victim for their macOS password. Since the entire installation process is somewhat unorthodox and could look like something a power user would do, users might dismiss it as standard practice, the researchers explained.
However, the password actually gives SHub access to the macOS Keychain, Wi-Fi credentials, app tokens, and other private keys.
“With the password in hand, SHub begins a systematic sweep of the machine,” the Malwarebytes researchers said.
After stealing passwords, cookies, autofill data, crypto wallet extensions, iCloud account data, Telegram session files, and other valuables, it drops a stage-two backdoor which replaces some cryptocurrency wallet apps with malicious copies. That way, the malware maintains persistence and even enables additional crypto theft down the line.
Finally, the crooks would install a LaunchAgent by spoofing a Google update service.
“In practice, this gives the attackers the ability to run commands on the infected Mac at any time until the persistence mechanism is discovered and removed,” the report concluded.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/JFKDCP2HdEKqSGJCkLNprB-1100-80.jpg
Source link
