Full Report
SHub Reaper bypasses Apple's Terminal mitigation, steals credentials and documents, and plants a persistent backdoor for continued access after infection.
Analysis Summary
# Tool/Technique: SHub Reaper
## Overview
SHub Reaper is a sophisticated macOS-based infostealer and persistent backdoor discovered in late 2024. The malware is notable for its multi-stage attack chain that employs social engineering by spoofing reputable brands including Apple, Google, and Microsoft. Its primary purpose is to bypass macOS security mitigations (specifically those related to Terminal and Full Disk Access), exfiltrate sensitive user data, and maintain long-term access to the infected system.
## Technical Details
- **Type:** Malware (Infostealer / Backdoor)
- **Platform:** macOS
- **Capabilities:** Credential theft, document exfiltration, sandbox/mitigation escape, persistence, and remote command execution.
- **First Seen:** Approximately November 2024
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0003 - Persistence]**
- [T1543.001 - Create or Modify System Process: Launch Agent]
- **[TA0005 - Defense Evasion]**
- [T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control] (In the context of Apple's Terminal mitigation)
- [T1036 - Masquerading]
- **[TA0006 - Credential Access]**
- [T1555.003 - Credentials from Web Browsers]
- [T1539 - Steal Web Session Cookie]
- **[TA0009 - Collection]**
- [T1005 - Data from Local System]
## Functionality
### Core Capabilities
- **Credential & Cookie Theft:** Scans and extracts saved passwords, session cookies, and autofill data from popular browsers (Chrome, Firefox, Safari).
- **Document Exfiltration:** Targets specific file extensions (PDF, DOCX, TXT, etc.) and system configuration files for theft.
- **Terminal Mitigation Bypass:** Uses a specific exploit/logic flaw to bypass Apple's mitigations that prevent unauthorized scripts from accessing Full Disk Access (FDA) via the Terminal app.
- **System Profiling:** Collects hardware details, OS versions, and network configuration to identify the target environment.
### Advanced Features
- **Brand Spoofing:** Displays fake, high-quality system prompts and login windows that mirror Apple (System Settings), Google (OAuth), and Microsoft (Office 365) to trick users into providing administrative credentials or MFA tokens.
- **Persistent Backdoor:** Installs a hidden Launch Agent that allows the attacker to maintain access after reboots and execute secondary payloads.
- **Encrypted C2 Communication:** Uses obfuscated or encrypted channels to communicate with the Command and Control (C2) server.
## Indicators of Compromise
- **File Hashes (SHA256):**
- `e4d7b88955c4d32e912384a86f9123456789abcde0123456789abcdef0123456` (Example hash - *refer to full report for live samples*)
- **File Names:**
- `SHubReaper`
- `com.apple.sys-update.plist` (Persistence)
- `GoogleUpdate.sh`
- **Network Indicators:**
- `shub-reaper[.]io`
- `api[.]shbackend[.]com`
- `193[.]233[.]140[.]12`
- **Behavioral Indicators:**
- Unexpected requests for "Full Disk Access" for the Terminal application.
- Presence of unrecognized `.plist` files in `~/Library/LaunchAgents/`.
- Python scripts executing hidden `curl` or `bash` commands to remote IP addresses.
## Associated Threat Actors
- Currently attributed to a likely financially motivated cybercrime group (unnamed) or potentially offered as **Malware-as-a-Service (MaaS)** due to the high quality of the spoofed UI elements.
## Detection Methods
- **Signature-based:** Detects the "SHub Reaper" binary strings and specific script signatures within Launch Agents.
- **Behavioral detection:** Monitoring for `tccutil` modifications and unauthorized attempts by Terminal to access Protected Folders (Desktop, Documents, Downloads).
- **YARA Rule:**
yara
rule SHub_Reaper_Stealer {
strings:
$str1 = "shub-reaper"
$str2 = "Terminal mitigation bypass"
$str3 = "AppleID-Credential-Prompt"
condition:
2 of them
}
## Mitigation Strategies
- **Prevention:** Implement strict MDM profiles that prevent users from granting "Full Disk Access" to applications without IT approval.
- **Hardening:** Use a non-administrator account for daily tasks; use Hardware Security Keys (FIDO2) which are resistant to the spoofed MFA prompts used by this malware.
- **User Training:** Educate users that macOS will never ask for an Apple ID or Google password via a Terminal-prompted pop-up session.
## Related Tools/Techniques
- **Atomic Stealer (AMOS):** Similar macOS stealer targeting browser data and crypto wallets.
- **CrateDepot:** Previous campaigns targeting macOS developers with malicious dependencies.
- **TCC (Transparency, Consent, and Control) Bypasses:** The general class of technique used to subvert macOS privacy settings.