Fake CleanMyMac site facilitates SHub Stealer malware injection

Cybernews reports that widely used macOS utility CleanMyMac had its website impersonated to deploy the SHub Stealer malware, which not only compromises saved credentials, cryptocurrency wallets, and other data but also maintains a backdoor for persistence.

Malicious actors have used the cleanmymacos[.]org domain, which has not been flagged as malicious by a majority of security vendors, to deceive users into executing the malware as part of the ClickFix attack technique, an analysis from Malwarebytes Labs showed. Execution of SHub Stealer on Macs without a Russian-language keyboard then enables the theft of passwords, cookies, and autofill data from Safari and 14 Chromium browsers, as well as 102 different cryptocurrency wallet extensions, while also exfiltrating iCloud account data, macOS Keychain directory, Telegram session files, Apple Notes database, and other sensitive information.

Additional findings revealed SHub to replace a cryptocurrency wallet app with an illicit copy to ensure persistence, as well as inject a Google update service-spoofing LaunchAgent for long-term compromise.