A sophisticated campaign is distributing fake Mac applications, disguised as legitimate software like AI assistants and utilities, which are actually malware designed to steal user credentials and cryptocurrency.
Key Points
Mind Map
Click to expand
Click to explore the full interactive mind map • Zoom, pan, and navigate
Hello everybody. My name is Eric and
today we're going to be talking about a
seriously problematic fake Mac app
epidemic that has been going around and
this could spread beyond Mac OS. But
I've got the files. So what's happened
here is a few Reddit accounts have been
going around Reddit, primarily the Mac
OS subreddit, although a few others as
well promoting fake software. The first
one that came out was something called
Nintendify. Now, oh, now this is what
the GitHub looked like. It's actually
been taken down. Uh, it was called
Nintendifier. Turn anything into a Mario
level with a selection on Mac OS. And
supposedly what this would do is it
would take a screenshot of something and
somehow, I suppose, using AI turn it
into a Mario level. So, you could uh,
and there was some source code here, but
I'm going to assume that was fake. The
GitHub is down now, so I can't get the
bogus source code. But don't worry, I
have all of the dodgy files here. So on
the all Mac OS subreddit, turn your
selection into a Mario level. Now,
Redditors eventually figured this out,
but not until downloading this quite a
bit that this is a virus. Now, this is
something that hasn't been seen in a
while. It's quite common for counterfeit
software to be filled with malware, but
this is someone making something they
claim is an entirely new piece of
software with a cool idea and it's
actually just a virus. I've seen this
with things like game emulators, but
there's quite a bit of effort being put
into fooling people here for and this is
targeting the Mac OS community which
really hasn't experienced info steelers
to the same extent. Windows users have
been dealing with the info steeler
epidemic for
years. Mac are usually better off. And
we will be taking a look at this on a
sandbox so we can see to what extent the
better security features of Mac OS
actually do mitigate this. Now, here is
someone who doesn't quite understand uh
what's going on. Uh but this was in fact
uh a similar info stealer. And luckily,
because they're on a Mac, they would
have to enter their password to get
pawned, but you might do that thinking
it's something real. So then the second
attack was Clippy for Mac OS. Now Clippy
was like a Windows assistant 20 years
ago. Basically Copilot before Copilot.
And this person says they made an AI
assistant called Clippy on Mac OS. I
don't really see the appeal of this. The
Clippy character didn't really work. I I
and I also don't really understand why
you download this random thing from a
random guy uh when there are plenty of
legitimate AI assistants already
available for Mac OS. Much every company
that makes one has a Mac app. Uh but
unfortunately the DMG file turned out to
be malware. This was Amos Stealer. All
of these are actually Amos Stealer. So
then someone posted a PSA. Okay, this is
the wrong this is this is the real PSA.
This is the fake PSA. So, someone did
notice this was fake, but this person
went to the Bitcoin subreddit, which is
interesting because this is a mainly
going to be a Bitcoin stealer. And they
say PSA downloaded a fun Mac app from
Reddit, almost lost everything, telling
the story of these different dangerous Mac
Mac
apps. PSA for Hot Wallet users. But
then, what turns out that's why this was
removed. I'm sorry to hear this happen
to you. Now, at this point, uh, the
scammer is going to recommend a tool
called Shield Key that is actually more
malware. Now, this is something I've
never seen happen before. This moderator
actually spoke to someone in my Discord
who was reporting this and told us about this.
this.
So, they basically got the malware
equivalent of a recovery room scam, but
unlike a real recovery room, they could
also hit people who hadn't fallen for
the first one, but might want to be
safe. So, let's go over to Shield Key.
Now, this one is still up, unlike the
other ones. So, features, wallets, FAQ.
Now, something I just noticed while I
was going through this. Note who the
developer on GitHub for Nintendifier is.
Oh, right. Shield Key. They probably
should have used a different name, but I
guess they weren't that high effort.
Antivirus won't save your coins. I might
honestly agree with that line. Shield
coin or shield key locks down your
wallets, blocks malware, and keeps your
crypto safe on Mac OS. If you're on
Windows, there could be a case for this
product existing. But let me just point
out that Mac OS does that by default.
Mac OS has app level a reasonable
amount. I mean, I would recommend like,
of course, there's enterprise solutions
that are better, but Mac OS has a sane
amount of application ring fencing.
Windows doesn't, which is why I would
recommend something like a threat
locker. This isn't a sponsored video.
I'm just saying like a product that does
lock down applications. Uh, but so this
product doesn't, it seems like a weird
niche. And they give you a security
score. You got like a GUI here. It
doesn't look terribly complicated. And
it's basically supposed to be a crypto
protector. Now, another thing you'll
note is every one of these malicious
downloads will go to a MacShare.php file
that may be on a different website, but
it's always got this PHP, and it does
have a slightly different payload. But
this one also has a terminal installer.
Now, this is similar to the ex for
Windows, but I have seen legitimate Mac
software do this before. Um, and famous
like the Rust programming language when
you install that uses something like
this. So I actually did get my hands on
this install.sh file. Now of course uh
given uh it does have user agent
blocking. So we had to use curl to get
it. Oh curl- o temp update this and then
we execute it. Now the update file is
right there. This is actually a Mac
binary and it's similar to what's inside
of these other two. We've got a
clippy.mdg and an intentifier. Now I
believe sevenzip can open these. So we
can actually see Clippy and ultimately
the file inside of Clippy is very
similar though it is slightly different.
So now let's go on over to the sandbox.
Now my preferred sandbox any run doesn't
have Mac OS support currently but Triage
does. So let's put this onto Triage and
see what we can triage. So we got a few
options. First of all we'll do
the supposed antivirus.
go through and of course this is a Mac
OS file and we can just analyze
it and we'll just wait for the Mac
sandbox to start up and it should
immediately ask us for a password. Oh,
that was just the screen time alert. We
not segmentation
fault. That's a weird error. So, let's
try some of the other ones. It's
uh, defense. So, that actually did get a
detection then. So, that's getting a
seven out of 10. Now, let's see if any
of the others will be a bit more juicy.
They will at least have fake icons. So,
we got Clippy and Nintendifier. I'm
going to try Nintendifier cuz that seems more
more
interesting. So, here it is. Now, this
one's actually got a cool looking icon.
So, I could I could see a reasonable
person following fing. And rather than
telling you to install it, it actually
just tells you to run
it. So we've now got a console window
that popped up, which of course we all
know is a bit scary. Oh, but we get a segmentation
segmentation
fault from the actual uh when we run it
from the terminal. No, we know this is
not legit. We can upload these to virus
total and they are well
detected. getting Amos Steeler across
the board on these questionable
files. But let's see if we can get more
of an idea of what these do by doing
some static analysis. I don't really
know what the Packer ecosystem is like
on Mac OS, which will ultimately dictate
whether we're going to get anything
useful because I certainly don't have a
a debugging setup for this to unpack
some Mac
malware. Just throw this one in here.
Okay. Haven't seen that before. That's
not a good sign. Uh, and of course on
Mac executables because they're usually
universal binaries, uh, you got to do
you got to pick which one you want to
hit. So, we're just going to go with the
Intel cuz I I can read x86 assembly, but
I really can't read assembly to any any
useful degree. Looks like there's some
sort of an exor cipher going on here.
So, we've got this data
blob minus this data blob.
exor this data blob and it's just doing
some pointer arithmetic here and we step
through every four bytes just to add
another layer of multiplicisation. See
if uh chat GP's code interpreter will
get this out because I I've pretty I've
got this VM pretty locked down so I
can't do a lot of Python on here. So
hopefully that will work out. I won't
have to do anything locally. Looks like
we're making progress. And then as we
scroll down, we get more of these. And
then there's some string concatenation.
And ultimately uh at the bottom there is
a call to system which I'd assume
probably works like system does on
Windows where that will then run a
command line. So basically what we've
got here is actually like another piece
of Mac mware I looked at. We essentially
have a malicious batch script or bash
script. not batch. Batch is Windows that
is wrapped in a wrapped in here. There's
no there's no complicated uh logic
written in a low-level programming
language. The first one we got may
actually be some sort of anti-analysis
because this runs RDI7. I haven't
completely traced this out, but I am
just making the assumption that out
ultimately manages to get copied into
this. If that is true, then the out of
this ultimately gets executed by system.
And now we have gone deep into the
weeds. Well, I I can't fault it. It did
what I asked it to do, but it seems this
isn't a plain text because the first one
doesn't seem to be a script. Uh the
first one seems to be uh producing a
string. Okay. So, what we got here is
some sort of custom encryption
algorithm. Uh this is this first out
that ultimately gets copied and this one
uh we see
persists is actually the key and that is
why in the midst of 03 outputs it does
it it dumps something that looks like a
looks like B 64 but because it is
actually a custom alphabet for a decoder
and that is why it is a dependent for
all the others. And now I do have a
script. I did a bit more. So the first
one gives you the B 64 code and then the
second gives you a string that can be
decoded with the B 64 code. So I'm just
going through the process of getting
these out right now. So we create these
and of course we can just write them.
I'm just going to get the directory I
want to put these in. Let's make life a
little easier with the by making a
function. Okay. I actually had to give
up. There's some weird formatting going
on here. So, oh, actually, I know what
that's about because on Windows
backslashes backslashes suck and that's
that's why that happens. So, uh let's
just let's just skip that. Now, we've
got these three files and we can use
them like
this. And now we just got to see if
whatever came out uh is any good
or anything at all. And now we finally
got an output. There is one more
trick. And boom. Yep. Exactly as I was
expecting. The first one is
anti-analysis. So the trick here uh was
uh I had 03 make this script but it
missed one thing which is the output of
these dumped values is actually a hex
string which then has to be converted by
this into individual asy characters.
then you do that. So that was the only
thing we'd missed. Uh so with that
stepping over out because I thought I'd
done something else wrong. Uh we've now
got a good fix. So now we can dump any
data we want. So could also patch that
out. So essentially this whole thing is
just a bunch of bash malware wrapped
really nastily. This second base, second
sub. Now we can just pretty quickly
replicate the code that we used before.
Sounds like we're talking about baseball
here on
E0. Now let's check the second one. Of
course, I could write a binary ninja
script to actually automate the dumping,
but uh here we go. So set release to
true, set file grabbers to true, and
we've actually got shockingly clean
source code. So it goes through Ledger
Live. This is the
actual seems like it may actually
replace that with Okay, that actually
makes a lot of sense when you consider
how a hardware wallet
works. This will probably be a piece of
malware that is designed to socially
engineer you into handing over your
crypto. I'll check that in a second.
Now, we've got our cookie stealing
plugin grabbing. Here's going to be a
list of crypto plugins to
steal. Here's your Telegram stealer.
Now, to me, this seems like it's pretty
focused on crypto. The weird that it
does have Waterfox, which is something
that very few people use these days. So,
I am just going to
upload this fake Ledger Live cuz I'm
curious what that did. And then I think
we're going to call this a
day. Okay. And here is our file. And
then once we unzip this, uh, we'll have
our fake Ledger
Live that we actually can't run. Oh, but
there's a Okay. Well, luckily I think we
can make enough of this out to say, "All
right, n.html. Let's see what that one
does." We can open that up in a browser.
You know, even without getting a deep
view of this, I can be well, I mean, I
could be 100% confident this was fake
from the fact that from the source, but
just give this a second to run. See, I'm
really slow. Your Ledger Live uh is
corrupted. Yeah. So this is just a
attempt at steal. This is a social
engineering exploit because of course a
cryptocurrency hardware wallet by design
isn't susceptible to an info stealer. So
this is a fairly interesting attempt.
It's not hard. It's not terribly uh
sophisticated. I was able to statically
unpack it quite
quickly. I could try writing a more
generic unpacker, but they'd probably
just write a workaround. That's going to
be all from me for now. So, there's an
epidemic of fake apps going around. What
will they do? They'll steal your
credentials, steal any cryptocurrencies
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
