TL;DR
- A new malware called “Cthulhu Stealer” targets macOS users, stealing sensitive information.
- The malware is disguised as legitimate applications and distributed under a Malware as a Service (MaaS) model for $500 per month.
- Apple plans to strengthen security in its upcoming macOS Sequoia operating system to protect users.
A new malware dubbed “Cthulhu Stealer” has emerged, specifically targeting macOS users with the aim of stealing a wide range of sensitive information.
This malware, available under a Malware as a Service (MaaS) model for a monthly cost of $500, has been in circulation since late 2023.
It is capable of compromising both x86_64 and Arm architectures, making it versatile in scope.
The main strategy of this malware is to disguise itself as legitimate software, such as CleanMyMac, Grand Theft Auto IV, and Adobe GenP, tricking users into granting permissions that enable data theft.
The infection process begins when the user downloads and executes the malicious file, explicitly allowing it and bypassing macOS Gatekeeper protections.
Once active, Cthulhu Stealer prompts the user to enter their system password, using an osascript-based technique that has already been employed by other malware such as Atomic Stealer and MacStealer.
A second prompt then appears to obtain the password for MetaMask, a cryptocurrency wallet.
The malware also has the ability to extract passwords stored in the iCloud Keychain by using an open-source tool called Chainbreaker.
All collected information, including web browser cookies and Telegram account data, is compressed into a ZIP file and sent to a command and control (C2) server.
Strengthening security in macOS
Although Cthulhu Stealer is not particularly sophisticated and lacks advanced anti-analysis techniques, its ability to trick users makes it a significant threat.
Its functionality is comparable to other known malware, suggesting that the developers have modified existing code to create this new variant.
However, the actors behind Cthulhu Stealer have since ceased to be active due to internal disputes, leading to the lead developer being banned from an underground cybercrime marketplace.
Although threats to macOS are less common compared to Windows and Linux, the emergence of malware like Cthulhu Stealer underscores the need for increased caution on the part of Apple users.
It is vital that users download software only from trusted sources, avoid installing unverified applications, and keep their systems updated with the latest security measures.
Aware of this growing threat, Apple has announced that in the next version of its operating system, macOS Sequoia, users will no longer be able to bypass Gatekeeper protections with a simple click, but will instead have to review the security information in System Configuration before allowing any unsigned or unauthorized software to run.
This additional step promises to be a more effective barrier against inadvertent installation of malicious software, better protecting the data and privacy of macOS users.
