A sophisticated campaign is distributing fake Mac applications, disguised as legitimate software like AI assistants and utilities, which are actually malware designed to steal user credentials and cryptocurrency.
Key Points
Mind Map
点击展开
点击探索完整互动思维导图
Hello everybody. My name is Eric and
today we're going to be talking about a
seriously problematic fake Mac app
epidemic that has been going around and
this could spread beyond Mac OS. But
I've got the files. So what's happened
here is a few Reddit accounts have been
going around Reddit, primarily the Mac
OS subreddit, although a few others as
well promoting fake software. The first
one that came out was something called
Nintendify. Now, oh, now this is what
the GitHub looked like. It's actually
been taken down. Uh, it was called
Nintendifier. Turn anything into a Mario
level with a selection on Mac OS. And
supposedly what this would do is it
would take a screenshot of something and
somehow, I suppose, using AI turn it
into a Mario level. So, you could uh,
and there was some source code here, but
I'm going to assume that was fake. The
GitHub is down now, so I can't get the
bogus source code. But don't worry, I
have all of the dodgy files here. So on
the all Mac OS subreddit, turn your
selection into a Mario level. Now,
Redditors eventually figured this out,
but not until downloading this quite a
bit that this is a virus. Now, this is
something that hasn't been seen in a
while. It's quite common for counterfeit
software to be filled with malware, but
this is someone making something they
claim is an entirely new piece of
software with a cool idea and it's
actually just a virus. I've seen this
with things like game emulators, but
there's quite a bit of effort being put
into fooling people here for and this is
targeting the Mac OS community which
really hasn't experienced info steelers
to the same extent. Windows users have
been dealing with the info steeler
epidemic for
years. Mac are usually better off. And
we will be taking a look at this on a
sandbox so we can see to what extent the
better security features of Mac OS
actually do mitigate this. Now, here is
someone who doesn't quite understand uh
what's going on. Uh but this was in fact
uh a similar info stealer. And luckily,
because they're on a Mac, they would
have to enter their password to get
pawned, but you might do that thinking
it's something real. So then the second
attack was Clippy for Mac OS. Now Clippy
was like a Windows assistant 20 years
ago. Basically Copilot before Copilot.
And this person says they made an AI
assistant called Clippy on Mac OS. I
don't really see the appeal of this. The
Clippy character didn't really work. I I
and I also don't really understand why
you download this random thing from a
random guy uh when there are plenty of
legitimate AI assistants already
available for Mac OS. Much every company
that makes one has a Mac app. Uh but
unfortunately the DMG file turned out to
be malware. This was Amos Stealer. All
of these are actually Amos Stealer. So
then someone posted a PSA. Okay, this is
the wrong this is this is the real PSA.
This is the fake PSA. So, someone did
notice this was fake, but this person
went to the Bitcoin subreddit, which is
interesting because this is a mainly
going to be a Bitcoin stealer. And they
say PSA downloaded a fun Mac app from
Reddit, almost lost everything, telling
the story of these different dangerous Mac
Mac
apps. PSA for Hot Wallet users. But
then, what turns out that's why this was
removed. I'm sorry to hear this happen
to you. Now, at this point, uh, the
scammer is going to recommend a tool
called Shield Key that is actually more
malware. Now, this is something I've
never seen happen before. This moderator
actually spoke to someone in my Discord
who was reporting this and told us about this.
this.
So, they basically got the malware
equivalent of a recovery room scam, but
unlike a real recovery room, they could
also hit people who hadn't fallen for
the first one, but might want to be
safe. So, let's go over to Shield Key.
Now, this one is still up, unlike the
other ones. So, features, wallets, FAQ.
Now, something I just noticed while I
was going through this. Note who the
developer on GitHub for Nintendifier is.
Oh, right. Shield Key. They probably
should have used a different name, but I
guess they weren't that high effort.
Antivirus won't save your coins. I might
honestly agree with that line. Shield
coin or shield key locks down your
wallets, blocks malware, and keeps your
crypto safe on Mac OS. If you're on
Windows, there could be a case for this
product existing. But let me just point
out that Mac OS does that by default.
Mac OS has app level a reasonable
amount. I mean, I would recommend like,
of course, there's enterprise solutions
that are better, but Mac OS has a sane
amount of application ring fencing.
Windows doesn't, which is why I would
recommend something like a threat
locker. This isn't a sponsored video.
I'm just saying like a product that does
lock down applications. Uh, but so this
product doesn't, it seems like a weird
niche. And they give you a security
score. You got like a GUI here. It
doesn't look terribly complicated. And
it's basically supposed to be a crypto
protector. Now, another thing you'll
note is every one of these malicious
downloads will go to a MacShare.php file
that may be on a different website, but
it's always got this PHP, and it does
have a slightly different payload. But
this one also has a terminal installer.
Now, this is similar to the ex for
Windows, but I have seen legitimate Mac
software do this before. Um, and famous
like the Rust programming language when
you install that uses something like
this. So I actually did get my hands on
this install.sh file. Now of course uh
given uh it does have user agent
blocking. So we had to use curl to get
it. Oh curl- o temp update this and then
we execute it. Now the update file is
right there. This is actually a Mac
binary and it's similar to what's inside
of these other two. We've got a
clippy.mdg and an intentifier. Now I
believe sevenzip can open these. So we
can actually see Clippy and ultimately
the file inside of Clippy is very
similar though it is slightly different.
So now let's go on over to the sandbox.
Now my preferred sandbox any run doesn't
have Mac OS support currently but Triage
does. So let's put this onto Triage and
see what we can triage. So we got a few
options. First of all we'll do
the supposed antivirus.
go through and of course this is a Mac
OS file and we can just analyze
it and we'll just wait for the Mac
sandbox to start up and it should
immediately ask us for a password. Oh,
that was just the screen time alert. We
not segmentation
fault. That's a weird error. So, let's
try some of the other ones. It's
uh, defense. So, that actually did get a
detection then. So, that's getting a
seven out of 10. Now, let's see if any
of the others will be a bit more juicy.
They will at least have fake icons. So,
we got Clippy and Nintendifier. I'm
going to try Nintendifier cuz that seems more
more
interesting. So, here it is. Now, this
one's actually got a cool looking icon.
So, I could I could see a reasonable
person following fing. And rather than
telling you to install it, it actually
just tells you to run
it. So we've now got a console window
that popped up, which of course we all
know is a bit scary. Oh, but we get a segmentation
