Latest macOS Threat “Cthulhu Stealer” Aiming at Apple Users’ Information
A group of cybersecurity analysts have discovered a new data thief specifically crafted to infiltrate Apple macOS systems and collect various data, highlighting the trend of threat actors increasingly focusing on this platform.
Known as Cthulhu Stealer, this malicious software has been made available as part of a malware-as-a-service (MaaS) offering at $500 a month from the end of 2023. It has the capability to target both x86_64 and Arm architectures.
“Cthulhu Stealer consists of an Apple disk image (DMG) that includes two binaries, which vary based on the system’s architecture,” outlined Cato Security researcher Tara Gould stated. “This malware is coded in Golang and masquerades as legitimate software.”
Some of the legitimate programs it pretends to be include CleanMyMac, the game Grand Theft Auto IV, and Adobe GenP, the latter being an open-source tool used to patch Adobe applications, enabling them to operate without the need for a serial key.
Individuals who execute the unsigned file after explicitly granting permission for it to run – essentially bypassing Gatekeeper protections – will be prompted to enter their system password, utilizing an osascript-based method that is also used by Atomic Stealer, Cuckoo, MacStealer, and Banshee Stealer.
Subsequently, users are asked to input their MetaMask password. Additionally, Cthulhu Stealer is programmed to collect system details and extract iCloud Keychain passwords using a publicly available tool named Chainbreaker.
The information stolen, which includes web browser cookies and data related to Telegram accounts, is compressed and stored in a ZIP file archive before being sent to a command-and-control (C2) server.
“The core functionality of Cthulhu Stealer revolves around seizing credentials and cryptocurrency wallets from different accounts, including gaming platforms,” mentioned Gould.
“The operations and features of Cthulhu Stealer bear a striking resemblance to Atomic Stealer, hinting that the creator of Cthulhu Stealer potentially leveraged Atomic Stealer’s codebase. The use of osascript to extract the user’s password mirrors the similar approach in Atomic Stealer and Cthulhu, even down to the same typographical errors.”
The individuals responsible for this malware are reportedly inactive now, partly due to payment disagreements that led to accusations of an exit scam by affiliates, resulting in the primary developer getting permanently banned from a Dark Web marketplace commonly used to promote such malicious tools.
Cthulhu Stealer is not a highly sophisticated threat and lacks methods to evade analysis that could enable it to remain undetected. It also lacks any unique characteristics that would set it apart from its counterparts in the underground ecosystem.
Although threats to macOS are less widespread compared to Windows and Linux, users are urged to exclusively download software from trusted sources, refrain from installing unauthenticated applications, and ensure their systems are kept up-to-date with latest security patches.
Apple has taken note of the rise in macOS malware and recently announced updates in its upcoming operating system version aimed at introducing additional friction when attempting to open software that lacks the correct signing or notarization.
“In macOS Sequoia, users will no longer have the option to bypass Gatekeeper by Control-clicking when launching software that is not properly signed or notarized,” Apple stated. “They will need to navigate to System Preferences > Security & Privacy to review security information for the software before granting permission to run it.”
About Author
