Fake CleanMyMac Website Distributes SHub Stealer Malware: Cybersecurity Alert
Malicious Website Impersonates CleanMyMac to Distribute SHub Stealer Malware
A malicious website impersonating the popular macOS utility CleanMyMac has been used to distribute the SHub Stealer malware, according to a recent analysis by Malwarebytes Labs.
Malware Distribution and Evasion Techniques
The fake website, operating from the domain cleanmymacos[.]org, has evaded detection by most security vendors, allowing attackers to use the ClickFix attack technique to deceive users into executing the malware.
SHub Stealer Malware Capabilities
Once installed on a Mac without a Russian-language keyboard, SHub Stealer compromises various sensitive data, including:
- passwords
- cookies
- autofill information from Safari and 14 Chromium-based browsers
- data from 102 different cryptocurrency wallet extensions
- iCloud account data
- macOS Keychain directory
- Telegram session files
- Apple Notes database
- other sensitive information
Persistence and Evasion Techniques
Further analysis revealed that SHub Stealer replaces a legitimate cryptocurrency wallet app with a malicious copy, ensuring persistence on the compromised system. The malware also injects a Google update service-spoofing LaunchAgent, allowing for long-term compromise.
Importance of Vigilance and Caution
The fact that the malicious domain cleanmymacos[.]org has not been flagged as malicious by most security vendors underscores the need for users to remain cautious when downloading software from the internet.
Conclusion and Recommendations
The SHub Stealer malware is a significant threat to macOS users, and its ability to compromise sensitive data and maintain persistence on infected systems makes it a formidable tool in the hands of malicious actors. Users are advised to exercise extreme caution when interacting with online content and to ensure that their systems are protected by up-to-date security software.
About Author
English