Cybersecurity experts have identified a new piece of malware targeting Apple macOS systems, emphasizing the growing interest of cybercriminals in Apple’s operating system. Named ‘Cthulhu Stealer,’ this malware is designed to harvest a wide array of user data from macOS devices, showcasing how threat actors are increasingly focusing on Apple users.
Launched in late 2023, Cthulhu Stealer is offered as a malware-as-a-service (MaaS) subscription for $500 per month. It is compatible with both x86_64 and Arm architectures.
According to a report, the malware is delivered as an Apple disk image (DMG) that includes two binaries, tailored for different system architectures. Written in Golang, Cthulhu Stealer disguises itself as legitimate software to deceive users.
Among the software programs it mimics are popular applications like CleanMyMac, Grand Theft Auto IV, and Adobe GenP, the latter being an open-source tool used to bypass Adobe’s Creative Cloud service. When users attempt to run the unsigned DMG file—bypassing Apple’s Gatekeeper security—they are prompted to enter their system password. This technique is not new and has been seen in other malware like Atomic Stealer, Cuckoo, MacStealer, and Banshee Stealer.
Following the system password prompt, users are asked to enter their MetaMask password. The malware then proceeds to gather system information, including iCloud Keychain passwords, using an open-source tool known as Chainbreaker.
The stolen data, which also includes web browser cookies and Telegram account details, is compressed into a ZIP archive and sent to a command-and-control (C2) server controlled by the attackers.
The primary goal of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various accounts, including game profiles. The report notes that the malware’s features bear a striking resemblance to those of Atomic Stealer, suggesting that Cthulhu Stealer’s developers may have borrowed and modified Atomic Stealer’s code. Both malware variants use a similar osascript-based method to prompt users for their passwords, even sharing the same typographical errors.
The developers behind Cthulhu Stealer are reportedly no longer active due to internal conflicts, including accusations of an exit scam by affiliates, leading to the main developer being banned from a cybercrime marketplace.
Despite its malicious intent, Cthulhu Stealer is not particularly sophisticated. It lacks the anti-analysis features that could make it more stealthy, and it doesn’t offer any unique functionalities that set it apart from other malware available on the black market.
While macOS faces fewer threats compared to Windows and Linux, users should remain cautious. It is advisable to download software only from trusted sources, avoid installing unverified applications, and ensure that systems are regularly updated with the latest security patches.
The rising tide of macOS malware has not gone unnoticed by Apple. In response, the company recently announced an upcoming update to its operating system, aimed at tightening security. In macOS Sequoia, users will no longer be able to bypass Gatekeeper protections simply by using the Control-click method. Instead, they will need to visit System Settings > Privacy & Security to review and approve any software that isn’t signed or notarized correctly.
To protect against threats like Cthulhu Stealer, macOS users should adopt strong security practices. Always download applications from reputable sources like the official App Store, avoid bypassing Gatekeeper protections, and keep your operating system up to date with the latest security patches.
Additionally, consider using advanced security tools that monitor for unusual activities, and stay informed about emerging threats targeting macOS. By maintaining a vigilant approach, users can significantly reduce the risk of falling victim to such malware.