New macOS malware ‘Cthulhu Stealer’ targets Apple users’ data

August 23, 2024Ravi LakshmananEndpoint Security/Data Privacy

Cybersecurity researchers have discovered a new information-stealing program that targets computers running Apple macOS and is designed to gather a wide range of information, underscoring the fact that cybercriminals are increasingly targeting the operating system.

The malware, dubbed Cthulhu Stealer, is available as a malware-as-a-service (MaaS) model for $500 per month starting in late 2023. It is capable of targeting both x86_64 and Arm architectures.

“Cthulhu Stealer is an Apple disk image (DMG) that is attached to two binaries, depending on the architecture,” said Tara Gould, a researcher at Cato Security. “The malware is written in Golang and disguises itself as legitimate software.”

The programs it impersonates include CleanMyMac, Grand Theft Auto IV, and Adobe GenP. The latter is an open-source tool that patches Adobe apps to bypass Creative Cloud and activates them without a serial key.

Users who run an unsigned file after explicitly allowing it to run—bypassing Gatekeeper protection—are prompted to enter their system password. This is an osascript-based technique that has been adopted by Atomic Stealer, Cuckoo, MacStealer, and Banshee Stealer.

The next step is a second prompt for the MetaMask password. Cthulhu Stealer is also designed to collect system information and dump iCloud Keychain passwords using an open-source tool called Chainbreaker.

The stolen data, including web browser cookies and Telegram account information, is compressed and stored in a ZIP archive file and then transmitted to a command and control (C2) server.

“The main functionality of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various stores, including gaming accounts,” Gould said.

“The functionality and features of Cthulhu Stealer are very similar to Atomic Stealer, indicating that the creator of Cthulhu Stealer likely took Atomic Stealer and modified the code. The use of osascript to prompt the user for a password is similar in Atomic Stealer and Cthulhu, even with the same spelling errors.”

The people behind the malware are said to be no longer active, partly due to payment disputes that led to exit scam accusations from affiliates. As a result, the main developer has been permanently banned from the cybercrime marketplace used to advertise stealing software.

The Cthulhu Stealer isn’t particularly sophisticated, and lacks the anti-analysis techniques that could allow it to operate in stealth. It also lacks any distinguishing feature that would set it apart from other similar offerings in the underworld.

Although threats to macOS are much less common than those to Windows and Linux, users are advised to only download software from trusted sources, avoid installing unverified applications, and keep their systems updated to the latest security patches.

The surge in macOS malware has not gone unnoticed by Apple, which earlier this month announced an update to the next version of its operating system. The update aims to make it harder to open software that isn’t properly signed or notarized.

“In macOS Sequoia, users will no longer be able to Control-click to bypass Gatekeeper when opening software that is not properly signed or notarized,” Apple said. “They will need to go to System Settings > Privacy & Security to review the software’s security information before allowing it to run.”