Infection via Trusted Brand Disguises
A sophisticated variant of the SHub infostealer malware, identified by SentinelOne as ‘Reaper,’ is targeting macOS users by masquerading as a Google Software Update LaunchAgent. The attack chain begins with a counterfeit installer for popular apps like WeChat or Miro, distributed through a typo-squatted domain that impersonates Microsoft infrastructure. At each stage, the malware adopts a new trusted identity: the initial payload appears as an Apple security update, while persistence relies on a directory mimicking Google’s own update system. This layered deception exploits three globally recognized technology brands within a single campaign, making the threat exceptionally difficult to detect without dedicated security tools.
Persistence and Evasion Techniques
Reaper employs advanced evasion tactics to maintain persistent access on infected machines. Instead of standard ClickFix social engineering, it uses AppleScript to deliver the initial shell script, routing execution through Script Editor to bypass Apple’s Terminal mitigations. The malicious command is dynamically constructed and padded with base64-encoded strings, keeping it hidden below the visible portion of the Script Editor window. To avoid detection in certain regions, the malware checks the victim’s local settings by querying the com.apple.HIToolbox.plist file for Russian-language input sources. If the host appears to be in a Commonwealth of Independent States region, it sends a ‘cis_blocked’ event to its command and control server and exits without further activity. This behavior indicates targeted geographic filtering by the attackers.
Source: Cyber Security News
