Cybersecurity researchers have discovered a new information stealer designed to target Apple macOS hosts to gather a wide range of information, highlighting the growing focus of threat actors on the operating system.
The malware, named “Cthulhu Stealer,” will be available under a Malware-as-a-Service (MaaS) model for $500 per month starting in late 2023. It can target both x86_64 and Arm architectures.
“Cthulhu Stealer is an Apple Disk Image (DMG) bundled with two binaries depending on the architecture,” said Tara Gould, a researcher at Cato Security. “The malware is written in Golang and masquerades as legitimate software.”
Some of the software programs it poses include CleanMyMac, Grand Theft Auto IV, and Adobe GenP, an open-source tool that patches Adobe apps to bypass Creative Cloud services and activate apps without a serial key.
After explicitly allowing an unsigned file to run, thus bypassing Gatekeeper protection, a user who launches the file is prompted for their system password, an osascript-based technique employed by Atomic Stealer, Cuckoo, MacStealer, and Banshee Stealer.
In the next step, you will be presented with a second prompt to enter your MetaMask password. The Cthulhu Stealer is designed to gather system information and dump iCloud Keychain passwords using an open-source tool called Chainbreaker.
The stolen data, including web browser cookies and Telegram account information, was compressed and stored in a ZIP archive file and then exfiltrated to a command and control (C2) server.
“The primary function of the Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various stores, including gaming accounts,” Gould said.
“The functionality and features of Cthulhu Stealer are very similar to Atomic Stealer, and the developers of Cthulhu Stealer likely modified Atomic Stealer’s code. The use of osascript to prompt the user for their password is similar between Atomic Stealer and Cthulhu, as are the spelling mistakes.”
The threat actors behind this malware are said to be no longer active after a dispute over payment led to accusations of exit fraud by affiliates, resulting in the main developer being permanently banned from cybercrime marketplaces used to promote this malware.
The Cthulhu Stealer is not particularly sophisticated and lacks any anti-analysis techniques that would allow it to operate stealthily, nor does it offer any distinctive features that would distinguish it from other similar products offered in the underground.
Although there are far fewer threats to macOS than Windows or Linux, users are advised to only download software from trusted sources, avoid installing unverified apps, and keep their systems up to date with the latest security updates.
The surge in macOS malware hasn’t gone unnoticed by Apple, which earlier this month announced an update to the next version of its OS aimed at adding more difficulty when trying to open software that hasn’t been properly signed or notarized.
“In macOS Sequoia, users will no longer be able to Control-click to disable Gatekeeper when opening software that isn’t properly signed or notarized,” Apple said. “They’ll need to visit System Preferences > Privacy & Security to review the software’s security information before allowing it to run.”
