A deceptive website mimicking the legitimate Mac utility CleanMyMac is actively distributing a harmful macOS malware known as SHub Stealer. This counterfeit site, located at cleanmymacos[.]org, is in no way affiliated with the authentic CleanMyMac software or its developer, MacPaw.
How SHub Stealer Operates
Once the SHub Stealer infiltrates a system, it extracts valuable data such as saved passwords, browser information, Apple Keychain contents, cryptocurrency wallet files, and Telegram session data. The attack utilizes a technique called ClickFix, which tricks users into executing a seemingly legitimate command in Terminal.
This command executes three actions: it displays a fake MacPaw link, decodes a concealed base64 URL to hide its true target, and downloads a malicious shell script from the attacker’s server. Because the user initiates the command, macOS security measures like Gatekeeper, XProtect, and notarization checks are largely ineffective against this threat.
Research and Findings by Malwarebytes
Malwarebytes researchers have thoroughly investigated this campaign, identifying SHub as part of a growing family of AppleScript-based macOS infostealers, which also includes MacSync Stealer and Odyssey Stealer. Notably, SHub exhibits advanced features, such as per-victim tracking identifiers, geofencing capabilities, and the ability to permanently compromise installed cryptocurrency wallet applications.
Before executing its main payload, SHub checks for the presence of a Russian-language keyboard. If detected, it signals the attacker’s server with a cis_blocked event and exits without stealing any data. This behavior is typical of malware associated with Russian-speaking cybercriminals who avoid targeting devices in countries of the Commonwealth of Independent States to evade local law enforcement scrutiny.
Impact on Cryptocurrency Wallets
SHub Stealer poses a unique threat due to its post-theft actions. If specific cryptocurrency wallet applications are detected on the infected system, SHub replaces each app’s core logic with a backdoored version. This altered application appears normal but secretly exfiltrates credentials.
The affected wallets include Exodus, Atomic Wallet, Ledger Wallet, Ledger Live, and Trezor Suite. These applications, built on the Electron framework, have their core file, app.asar, replaced with a compromised version that strips its code signature and re-signs it for macOS acceptance.
Users of Exodus and Atomic Wallet unknowingly send their passwords and seed phrases to wallets-gate[.]io/api/injection with each wallet unlock. The other affected wallets have similar vulnerabilities, exfiltrating sensitive data to the same endpoint through fake interfaces or disabled security validations.
Protective Measures and Recommendations
Users who executed the Terminal command from the fraudulent cleanmymacos[.]org site should take immediate action. They should refrain from running the command, close the page, and delete the com.google.keystone.agent.plist file from ~/Library/LaunchAgents/ if present.
Additionally, users should inspect ~/Library/Application Support/Google/ for the GoogleUpdate.app folder and remove it if found. Those with the five targeted wallet applications should consider their seed phrases exposed and transfer funds to a new wallet on a secure device. Changing macOS login passwords and Keychain credentials, as well as revoking and regenerating any API or SSH keys, is also advised.
Stay informed on cybersecurity threats by following us on Google News, LinkedIn, and X. Set CSN as a preferred source on Google for more real-time updates.
