A newly identified variant of the SHub macOS infostealer, referred to as “Reaper,” is gaining attention for its advanced capabilities, including stealthier delivery mechanisms, improved data theft strategies, and a persistence tactic that masquerades as a legitimate Google software update. This evolution of the SHub variant demonstrates how quickly malware can adapt and become more sophisticated in executing its malicious activities.
Reaper continues the legacy of the SHub family by employing fake application installers, notably disguising itself as downloads for popular applications such as WeChat and Miro. However, what sets Reaper apart is its distinctive infection chain, which evolves at each stage of the attack. Victims may find themselves initially directed to typo-squatted domains, exemplified by web addresses resembling reputable sites like Microsoft [.]co[.]com. Upon access, these domains aim to execute what appears to be an Apple security update, luring victims into a false sense of security.
A notable feature of the Reaper variant is its abandonment of traditional “ClickFix” tactics that require manual input in the Terminal. Instead, it exploits the applescript:// URL scheme, allowing it to operate more covertly. Security researchers at SentinelOne, who issued a detailed report on this malware shared with GBhackers, noted that this trend indicates a larger movement within macOS-targeted malware. Such tools are increasingly utilizing layered social engineering tactics and fileless execution techniques to avoid detection by conventional security measures.
Once the malicious script is executed, it automatically opens macOS’s Script Editor, preloaded with a harmful script. To obscure the true nature of the attack, the visible content is filled with benign text and ASCII art, cleverly hiding the actual malicious payload. When the script runs, it generates a false XProtect update notification while unobtrusively decoding and executing a Base64 command designed to retrieve and run a remote shell script using the ‘curl’ and ‘zsh’ commands.
A distinctive feature of Reaper is its built-in checks that prevent it from infecting systems in specific regions. For instance, should the malware detect any Russian language indicators in the macOS input settings, it swiftly exits the operation, signaling its command-and-control (C2) server with a “cis_blocked” notification.
Furthermore, the lure websites associated with Reaper employ extensive fingerprinting techniques to gather data prior to delivering the malicious payload. This includes tracking the user’s IP address and geolocation, WebGL fingerprinting, and identifying whether the potential victim is using VPNs or virtual machines. The websites also enumerate browser extensions, particularly focusing on password managers and cryptocurrency wallets.
The collected data is exfiltrated through a Telegram bot, while the sites utilize multiple anti-analysis defenses. These measures include blocking developer tool access, overriding console functions, and launching infinite debugger loops to stall any detection efforts.
In a significant part of the attack, the AppleScript employed by Reaper prompts users for their macOS passwords under the pretext of a system request. These credentials are then harvested to access sensitive information, including entries stored in Keychain and browser-based secrets.
Reaper’s target list is notably extensive, encompassing various applications like browsers (Chrome, Safari, Firefox, Edge, Brave, Opera, Vivaldi, Arc, Orion), cryptocurrency wallets (Exodus, Atomic, Ledger Live, Electrum, and Trezor Suite), and messaging platforms (particularly Telegram session data). A new feature of the malware is an AMOS-style Filegrabber module, which scans users’ Desktop and Documents folders for valuable files, including formats like .docx, .xlsx, .json, .wallet, and .rdp, capable of staging up to 150MB of data. In cases where the archive size exceeds permissible limits, Reaper intelligently splits the information into 70MB segments for exfiltration through HTTP requests.
In addition to data theft, Reaper is actively designed to tamper with cryptocurrency wallets. It replaces core application files, such as app.asar, with trojanized counterparts downloaded from the C2 server. This operation circumvents macOS Gatekeeper protections using commands like xattr -cr and spontaneous code signing, allowing continual interception of cryptocurrency wallet activities.
One of the most concerning innovations of the Reaper variant is its persistence mechanism, which creates a directory that mimics Google’s update infrastructure. Specifically, it operates within the path ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/, where it installs a malicious script named GoogleUpdate. To maintain its foothold, it registers this with a LaunchAgent file named com.google.keystone.agent.plist, which facilitates execution every 60 seconds, effectively acting as a beacon to the C2 server. If the server supplies new instructions, the malware can execute them dynamically, securing long-term access to the infected system and transforming it into a persistent backdoor.
The flexibility and sophistication showcased by Reaper illustrate a worrying trend in macOS malware evolution, moving beyond mere infostealers into multifaceted, persistent threats. As attackers combine social engineering, fileless execution tactics, and trusted brand impersonations, the likelihood of evading both user vigilance and automated security tools significantly increases.
In light of these developments, those responsible for cybersecurity should concentrate on monitoring behaviors that indicate potential Reaper activity. This includes tracking unexpected engagements with Script Editor (osascript), identifying questionable outbound connections following script executions, and scrutinizing the creation of LaunchAgents within trusted vendor namespaces. Furthermore, attention should be given to any unauthorized alterations in wallet application files, as these can serve as critical indicators of compromise.
Overall, the emergence of the Reaper variant exposes the ongoing evolution of malware in the macOS ecosystem, highlighting the need for continuous advancements in defense mechanisms to counter these malicious threats effectively.