Cthulhu Stealer
Cybersecurity researchers have identified a new information-stealing malware specifically designed to target Apple macOS systems, highlighting a growing trend where threat actors focus more on this operating system. Named the Cthulhu Stealer, the malware has been offered as part of a Malware-as-a-Service (MaaS) package since late 2023, priced at $500 per month. It is capable of attacking both x86_64 and Arm architectures.
The Cthulhu Stealer is distributed as an Apple disk image (DMG) containing two binaries tailored for different architectures. Written in Golang, the malware masquerades as legitimate software. Among the software programs it imitates are CleanMyMac, Grand Theft Auto IV, and Adobe GenP, the latter being an open-source tool used to bypass Adobe Creative Cloud's activation process.
Table of Contents
The Cthulhu Stealer Collects Sensitive Data and Credentials
Users who choose to launch the unsigned file—after manually bypassing Gatekeeper protections—are prompted to enter their system password. This technique, based on a script, has also been utilized by other malware like the Atomic Stealer, Cuckoo, MacStealer and the Banshee Stealer.
Following this, users are asked to enter their MetaMask password. The Cthulhu Stealer is further equipped to collect system information and extract iCloud Keychain passwords using an open-source tool called Chainbreaker.
The gathered data, which includes web browser cookies and Telegram account information, is then compressed into a ZIP archive and sent to a Command-and-Control (C2) server for exfiltration.
An Analysis of the Cthulhu Stealer’s Capabilities
The primary function of the Cthulhu Stealer is to harvest credentials and cryptocurrency wallets from various sources, including game accounts. Its features closely resemble those of the Atomic Stealer, suggesting that the developer of the Cthulhu Stealer may have modified Atomic Stealer's code. Both use osascript to prompt users for their passwords, even sharing the same spelling errors.
The group behind this malware is reportedly no longer active, partly due to disputes over payments, leading to accusations of an exit scam by affiliates. This resulted in the main developer being permanently banned from the cybercrime marketplace where the stealer was advertised.
The Cthulhu Stealer is not particularly sophisticated, lacking advanced anti-analysis techniques that would allow it to operate stealthily. Additionally, it does not have any distinctive capabilities that set it apart from other similar tools in the underground market.
Apple Is Implementing Additional Steps to Prevent Malware
Although macOS faces fewer threats compared to Windows and Linux, users should still be cautious. It's crucial to download software only from reputable sources, avoid installing unverified applications and keep systems updated with the latest security patches.
Apple has acknowledged the rise in macOS malware and, earlier this month, announced an update for its upcoming operating system version, Sequoia. This update introduces stricter measures for opening software that isn't properly signed or notarized.
In macOS Sequoia, users will no longer be able to Control-click to bypass Gatekeeper for unverified software. Instead, they will need to navigate to System Settings > Privacy & Security to review and approve security information for such applications before running them.