EXECUTIVE SUMMARY
Threat actors behind the SHub Reaper campaign have been observed deploying a macOS stealer that employs a multi-stage execution chain to evade detection and bypass security controls. The campaign targets various sectors and regions, with a primary goal of data theft, particularly focusing on credentials, cryptocurrency wallets, and business-related files. The attackers use fake application installers, including WeChat and Miro, as lures to trick victims into executing the malware. The infection chain shifts its disguise at each stage, using a combination of Apple, Google, and Microsoft branding to evade suspicion.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Threat actors behind the SHub Reaper campaign have been observed deploying a macOS stealer that employs a multi-stage execution chain to evade detection and bypass security controls. The campaign targets various sectors and regions, with a primary goal of data theft, particularly focusing on credentials, cryptocurrency wallets, and business-related files. The attackers use fake application installers, including WeChat and Miro, as lures to trick victims into executing the malware. The infection chain shifts its disguise at each stage, using a combination of Apple, Google, and Microsoft branding to evade suspicion.[emaillocker id="1283"]
The malware infects systems by leveraging the applescript:// URL scheme to launch the macOS Script Editor, pre-populated with the malicious payload. Once executed, the script prompts the user to supply their login password, which is scraped and used to decrypt various credentials. The malware then targets data from popular browsers, including Chrome, Firefox, and Edge, as well as browser extensions and desktop wallet applications. Additionally, the Reaper build includes a Filegrabber routine that searches for files likely to contain business or financial value and uploads them to the attacker's C2 server in chunked uploads. The malware establishes persistence and installs a backdoor, allowing the attackers to maintain control and exfiltrate data at will.
The SHub Reaper campaign is significant due to its multi-stage execution chain and ability to evade detection. The use of fake application installers and a multi-stage infection chain makes it difficult for defenders to identify and respond to the threat. The attackers' focus on credential and data theft, as well as their use of chunked uploads and persistence mechanisms, highlights the need for organizations to prioritize robust endpoint protection, regular patching, and monitoring. Defenders should be vigilant for suspicious AppleScript or osascript activity, unexpected outbound traffic following Script Editor execution, or the unexpected creation of LaunchAgents or related files in namespaces associated with trusted vendors.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.002 | Command and Scripting Interpreter | AppleScript |
| Persistence | T1543.001 | Create or Modify System Process | Launch Agent |
| Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion | System Checks |
| Defense Evasion | T1036.005 | Masquerading | Match Legitimate Name or Location |
| Credential Access | T1555.004 | Credentials from Password Stores | Windows Credential Manager |
| Collection | T1005 | Data from Local System | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1048.003 | Exfiltration Over Alternative Protocol | Exfiltration Over Unencrypted Non-C2 Protocol |
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/shub-reaper-macos-infostealer-applescript-mitigation-bypass/
https://www.sentinelone.com/blog/shub-reaper-macos-stealer-spoofs-apple-google-and-microsoft-in-a-single-attack-chain/