- SentinelOne Discovers a New SHub macOS Data Stealing Variant Called Reaper, Spreading Through Typo-Mirrored WeChat and Miro Domains
- The malware disguises itself with fake update components from Apple and Google, establishing persistence and backdoor access.
- Reaper targets browser credentials, crypto wallets, password managers and sensitive documents, and there are signs that Russian-speaking operators are bypassing CIS systems.
SentinelOne cybersecurity researchers have discovered a new variant of the notorious SHub macOS information-stealing malware called ‘Reaper’.
In a new report, SentinelOne said it observed domains with typos spoofing the popular apps WeChat (a popular Chinese messaging and social media app) and Miro (an online whiteboard and visual collaboration platform).
Victims using macOS who seek to install these applications will trigger an infection chain that constantly changes its disguise to make the malware appear legitimate at each stage of the attack. After launching the script, it will display a fake update message referencing Apple’s XProtectRemediator security tool, and after infecting the system, it will establish persistence by creating files and folders designed to look like a genuine Google software update component.
Avoiding the Russians
It will store a backdoor in a fake “GoogleUpdate” directory and register a LaunchAgent called “com.google.keystone.agent.plist,” the researchers said.
The goal of the campaign is to steal confidential credentials and files, as well as cryptocurrency wallets. While SentinelOne does not attribute the attack to any specific threat group or actor, it did say there were several indications that suggested the operators might speak Russian (or, at least, be trying to avoid targets in former Soviet states).
The malware checks whether the infected system uses Russian input sources and exits if it detects systems in the CIS (Commonwealth of Independent States) region. SentinelOne also said that when they tried to bypass the malware’s anti-scan protection, a fake website displayed a Russian “Access Denied” message.
The Reaper variant primarily targets web browsers, cryptocurrency wallets, and applications that may contain financial or business-related data, stealing browser credentials, crypto wallet data, login keychains, Telegram session data, and documents from Desktop and Documents folders.
Also look for browser extensions linked to password managers like 1Password, Bitwarden, and LastPass, along with cryptocurrency wallets like MetaMask and Phantom.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
