A new iteration of the ‘SHub’ macOS infostealer has emerged, utilizing AppleScript to present a deceptive security update notification and implant a backdoor into the system.
Known as Reaper, this latest version is designed to pilfer sensitive browser data, harvest documents and files containing financial information, and take control of cryptocurrency wallet applications.
Unlike previous SHub campaigns that relied on the “ClickFix” method to deceive users into executing commands in Terminal, the Reaper now exploits the applescript:// URL scheme to launch the macOS Script Editor preloaded with a malicious AppleScript.
This strategy circumvents the Terminal-based security measures Apple implemented in late March with macOS Tahoe 26.4, which prevented the execution of potentially harmful commands by blocking their pasting.
Researchers at SentinelOne discovered this new SHub infostealer variant, noting that unsuspecting users were enticed with a fake installer for WeChat and Miro applications hosted on domains masquerading as legitimate sites to the untrained eye (e.g., qq-0732gwh22[.]com, mlcrosoft[.]co[.]com, mlroweb[.]com).
Presently, the counterfeit QQ and Microsoft domains continue to distribute bogus WeChat installers, while the Miro platform impersonation redirects users to the genuine website.
BleepingComputer observed that download buttons for Windows and Android lead to the same executable hosted on a Dropbox account.
Prior to initiating the AppleScript, the malicious websites conduct device fingerprinting on visitors to detect virtual machines and VPNs, which could signify an analysis environment, and enumerate installed browser extensions, including those for password managers and cryptocurrency wallets. All collected telemetry is sent to the attacker via a Telegram bot.
As per SentinelOne’s report, the script containing the command to fetch the payload is dynamically generated and concealed within ASCII art.
Upon clicking ‘Run,’ the script presents a fabricated Apple security update message referencing XProtectRemediator, downloads a shell script via ‘curl,’ and executes it discreetly using ‘zsh.’
Prior to engaging in data theft activities, the malware conducts a system check to determine if the user employs a Russian keyboard/input. If a match is found, it reports a ‘cis_blocked’ event to the command-and-control (C2) server and aborts the infection process. If no Russian keyboard is detected, Reaper proceeds to execute the malicious AppleScript with the data theft routine utilizing the osascript command-line tool inherent to macOS.
Upon activation, the malware prompts the user for their macOS password, granting access to Keychain items, decryption of credentials, and retrieval of protected data. Subsequently, the infostealer targets various elements including:
Reaper also features a “Filegrabber” module that scans the Desktop and Documents folders for specific file types likely to contain sensitive data. It captures targeted files below 2MB, or up to 6MB in the case of PNG images, with a total volume cap of 150MB.
When wallet applications are present, the malware seizes control by terminating their processes and substituting the authentic core application file with a malicious one named app.asar obtained from the command-and-control (C2) server.
To circumvent any Gatekeeper alerts, the SHub Reaper malware “clears the quarantine attributes with xattr -cr and utilizes ad hoc code signing on the modified application bundle,” as detailed by the researchers.
SentinelOne cautions that the malware establishes persistence by installing a script masquerading as the Google software update and registering it through LaunchAgent. This script is executed every minute, serving as a beacon that transmits system information to the C2.
If the script acquires a payload, it can decode and execute it within the user’s context, subsequently erasing the file, granting the attacker prolonged access to the compromised system.
SentinelOne emphasizes that the SHub operator is enhancing the infostealer’s functionalities to include remote access to compromised devices, potentially facilitating the introduction of additional malware.
The researchers have furnished a list of compromise indicators to aid defenders in safeguarding against the malevolent activities associated with the new SHub Reaper infostealer variant.
SentinelOne advises vigilance for suspicious outbound traffic subsequent to Script Editor execution, or the emergence of new LaunchAgents and affiliated files under the guise of reputable vendors.
Automated pentesting tools provide tangible benefits, yet they focus on a singular query: Can an attacker traverse the network? They do not assess whether your defenses repel threats, your detection protocols activate, or your cloud configurations remain secure.
Discover the 6 vital areas you need to validate in this comprehensive guide.
Download Now
Change the following text
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
