A newly discovered malware, Cthulhu Stealer, has been observed targeting macOS users, marking another significant cybersecurity threat to Apple’s operating system.
The tool, identified by Cado Security, operates as a malware-as-a-service (MaaS) and leverages Apple disk images (DMG) to disguise itself as legitimate software.
How Cthulhu Stealer Works
The Cthulhu Stealer primarily focuses on stealing sensitive information, including credentials and cryptocurrency wallets, from its victims. Once a user mounts the DMG and opens the disguised file, the malware uses osascript, a macOS command-line tool, to prompt the user for their system and MetaMask passwords.
The stolen data is stored in a directory and compressed into a zip file for exfiltration to the malware’s command-and-control (C2) server. The stolen data includes:
-
Keychain passwords
-
MetaMask and Coinbase wallets
-
Game account details like Battle.net
-
Browser cookies and extensions
Cthulhu Stealer mimics well-known software, such as CleanMyMac, Adobe GenP and a typo-laden “Grand Theft Auto IV,” to trick users into installing it.
Similarities to Atomic Stealer and Developer Disputes
Cado Security has noted substantial similarities between Cthulhu Stealer and the earlier Atomic Stealer, indicating that Cthulhu Stealer may be a modified version of the latter. Both malware variants utilize similar password prompts and data collection techniques, suggesting they may share a developer.
The operators behind Cthulhu Stealer, known as the “Cthulhu Team,” rent out the malware to affiliates for $500 per month. However, disputes over payments have reportedly led to accusations of fraud within the group, resulting in the main developer being banned from a popular malware marketplace.
Protecting macOS Against Cthulhu Stealer
According to Cado Security, the discovery underscores the evolving threat landscape for macOS users.
“While macOS has long been considered a secure system, the existence of malware targeting Mac users remains an increasing security concern,” the company wrote.
To protect against similar threats like Cthulhu Stealer, Cado Security recommends several precautions for macOS users. These include:
-
Downloading software only from trusted sources, such as the Apple App Store or the official websites of reputable developers
-
Enabling macOS’s built-in security features, such as Gatekeeper, to prevent the installation of unverified apps
-
Keeping your system and applications up to date with the latest security patches
-
Using reputable antivirus software for an additional layer of protection
Image credit: Farknot Architect / Shutterstock.com