Researchers from Cado Security discovered a new malware targeting MacOS users. This malware, known as “Cthulhu Stealer”, is designed to gather a wide range of data from Apple devices, highlighting the increasing activity of cybercriminals focusing on this platform.
Cthulhu Stealer has been circulating since late 2023 through the Malicious as a Service (MAAS) model, priced at $500 per month. It is capable of operating on both X86_64 and ARM architectures. The malicious software disguises itself as legitimate software, including popular applications like CleanMyMac and even the Grand Theft Auto IV video game. The attack utilizes an Apple disk image (DMG) containing two binary files tailored for different architectures.
One of the main risks is that users who attempt to run an unsigned file must bypass Gatekeeper protection and input a system password. Additionally, the malware can prompt for a password from Metamask, posing a significant threat to cryptocurrency wallet owners. Cthulhu Stealer gathers system information and extracts passwords from the iCloud Keychain using the Chainbreaker tool.
The stolen data, which includes web browser passwords and Telegram account details, is compressed into an archive and sent to the attackers’ server. The primary objective of this malware is to steal financial data, cryptocurrency wallets, and game accounts.
According to Cado Security, the functionality of Cthulhu Stealer bears many similarities to another infamous malware, Atomic Stealer. It is believed that the developer of Cthulhu Stealer based their creation on the code of Atomic Stealer with certain modifications.
As of now, the activities of the Cthulhu Stealer developers have halted. Internal conflicts and payment disputes have led to allegations of fraud, resulting in the main developer being permanently banned from the cybercrime market where the malware was being promoted.
Even though Cthulhu Stealer is not particularly intricate or unique, its presence underscores the growing interest in targeting the MacOS platform among cybercriminals. Users are advised to download software only from reputable sources, avoid installing unverified applications, and routinely update their operating systems.
Apple has also acknowledged the rising threats to MacOS and recently announced security enhancements in the upcoming operating system version. In MacOS Sequoia, users will no longer be able to bypass Gatekeeper protection through Control-Click to execute unsigned software. Instead, users will have to navigate to “System Settings” and manually grant permission to launch suspicious programs, providing an additional layer of protection against inadvertent infections on MacOS devices.