macOS users lose crypto as Reaper stealer bypasses Terminal

A new type of Mac malware called Reaper is spreading through fake download pages for apps like WeChat and Miro. Once it gets in, it steals crypto wallet data and saved browser passwords.

It’s a smarter version of an older trick that used to fool people into pasting malicious commands into Terminal. Apple patched that hole in a recent macOS update, but Reaper found a way around it, using a different built-in Apple tool to do the same damage.

Script Editor replaces Terminal as the malware surface

The fake download sites trigger Script Editor through an AppleScript applescript:// URL.

The malicious code is invisible. Attackers hide it using ASCII art and whitespace. If a user clicks the play button in the Script Editor, they unknowingly run hidden commands.

Script Editor is preinstalled with every Mac computer. Most people don’t relate to viruses.

Typosquatted domains and fake Apple updates build trust

The attack begins on fake domains that look legitimate to potential victims. Security researchers discovered infrastructure hosted on typosquatted Microsoft domains, including mlcrosoft[.]co[.]com.

Once the script runs, a fraudulent Apple security update dialog prompts the victim to enter their computer password.

Reaper then checks the system’s keyboard layout.  If the keyboard is configured for the Russian language, the malware stops.  If not, the malware activates a data-theft module modeled on the Atomic macOS Stealer (AMOS).

Crypto wallets, browsers, and documents are all targeted

Reaper goes after desktop crypto applications, including Ledger Live, Trezor Suite, and Exodus. The malware modifies the internal code of crypto wallets to intercept future transactions and redirect funds.

The stealer also harvests saved credentials from Chrome, Firefox, and Edge. It pulls data from browser extensions like 1Password and MetaMask too.

Files with .docx, .pdf, .xlsx, .wallet, and .keys extensions found in Desktop and Documents folders get compressed into 70MB ZIP chunks and uploaded to an external command-and-control server.

For a persistent attack, Reaper installs a backdoor disguised as a Google Software Update directory.

Reaper is the third campaign within about two months to adopt this automated AppleScript approach, according to Moonlock’s analysis.

Microsoft’s Defender Security Research Team documented a related set of campaigns involving fake macOS troubleshooting guides posted to Medium, Craft, and Squarespace, which Cryptopolitan previously reported.

Those campaigns used the same ClickFix approach to deliver AMOS, Macsync, and SHub Stealer through Terminal commands. Genuine wallet apps were deleted and silently swapped for malicious versions, according to Cryptopolitan.

Double-check download links before installing anything new. If a pop-up unexpectedly asks for your Mac password, don’t enter it. A good security tool will catch obfuscated scripts before they cause damage. If a website ever tells you to open Script Editor, close the tab.

If you're reading this, you’re already ahead. Stay there with our newsletter.