A new variant of the SHub infostealer malware, dubbed “Reaper,” is targeting macOS users by deploying a fake Google Software Update LaunchAgent to establish persistent, stealthy access on compromised systems. The attack chain exploits trust in three major technology brands—Apple, Google, and Microsoft—in a single, multi-stage infection that evades standard detection.
Multi-Stage Infection Chain Exploits Brand Trust
Reaper initially lures victims through counterfeit installers for popular applications like WeChat or Miro, hosted on a typo-squatted Microsoft domain (mlcrosoft[.]co[.]com). Once executed, the payload disguises itself as an Apple security update, leveraging AppleScript to bypass standard Terminal mitigations entirely.
The malicious command is dynamically constructed using base64-encoded strings and routed through Script Editor, keeping the payload hidden below the visible portion of the application window. This technique circumvents Apple’s built-in protections that flag direct Terminal execution.
Persistence via Fake Google Keystone Service
After initial execution, Reaper establishes persistence by creating a directory structure that mimics Google’s legitimate Keystone update service. It places a base64-decoded bash script named GoogleUpdate in `~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/` and registers a LaunchAgent using `com.google.keystone.agent.plist`.
This LaunchAgent executes the script silently every 60 seconds, sending system telemetry to the attacker’s `/api/bot/heartbeat` endpoint. If the server returns a “code” payload, the script decodes it, writes it to `/tmp/.c.sh`, executes it with user privileges, and deletes the file—providing a trace-free remote execution channel.
Data Theft and Anti-Analysis Capabilities
Reaper includes a FileGrabber routine that scans Desktop and Documents folders for high-value files, targeting `.docx`, `.wallet`, `.key`, `.json`, and `.rdp` extensions, along with images under 1MB and documents under 5MB. Collected data is staged in `/tmp/shub_random/`, split into 10MB chunks, and exfiltrated via curl.
The malware also targets cryptocurrency desktop applications including Exodus, Atomic, Ledger Live, and Trezor Suite, while harvesting browser credentials and developer keystrokes. It overrides console functions and runs a continuous debugger loop to obstruct security analysis, displaying a Russian-language access denied message if DevTools are opened.
What This Means for Enterprise Defenders
SentinelOne’s analysis confirms that Reaper represents a significant evolution in macOS malware, leveraging trusted brand identities at every stage of the infection chain. Organizations should monitor for unexpected AppleScript activity, unusual outbound connections following Script Editor execution, and new LaunchAgents in namespaces tied to trusted software vendors. Users must be reminded that Apple never prompts manual Script Editor execution via web pages—a critical behavioral indicator for security awareness training.
— Originally reported by Cyber Security News. Adapted and republished with editorial context for MacThreat.
