Cyber security researchers have discovered a new information stealer that is designed to attack Apple macOS hosts and collect a wide range of information, highlighting the increasing focus of threat actors on the operating system.
The malware, called Cthulhu Stealer, has been available under a malware-as-a-service (MaaS) model for $500 per month since late 2023. It is capable of targeting both x86_64 and Arm architectures.
“Cthulhu Stealer is an Apple disk image (DMG) that comes bundled with two architecture-specific binaries,” Cato Security researcher Tara Gould. said. “The malware is written in Golang and pretends to be legitimate software.”
Some of the programs it embodies include CleanMyMac, Grand Theft Auto IV, and Adobe GenP, the latter of which is an open-source tool that fixes Adobe apps to bypass the Creative Cloud service and activate them without a serial key.
Users who end up running an unsigned file after explicitly allowing it to run, i.e. bypassing Gatekeeper protection, are prompted for their system password, osascript based technique which was succeeded by Atomic Stealer, Cuckoo, MacStealer and Banshee Stealer.
The next step will present a second MetaMask password prompt. Cthulhu Stealer is also designed to collect system information and reset iCloud Keychain passwords using an open source tool called Chain breaker.
The stolen data, which also consists of web browser cookies and Telegram account information, is compressed and stored in a ZIP archive file before being sent to the control server (C2).
“The primary function of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various stores, including game accounts,” Gould said.
“The functionality and features of Cthulhu Stealer are very similar to Atomic thiefindicating that the developer of Cthulhu Stealer probably took Atomic Stealer and changed the code. The use of osascript to prompt the user for a password is similar to Atomic Stealer and Cthulhu, even with the same spelling mistakes.’
The threat actors behind the malware are said to be no longer active, in part due to a payment dispute that led to allegations of fraud by affiliates, resulting in the main developer being permanently banned from the cybercrime marketplace, which was used to advertise the hijacker.
Cthulhu Stealer is not particularly sophisticated and has no anti-analysis techniques that would allow it to work stealthily. It also lacks any standout features that set it apart from other similar offerings in the underground.
While macOS threats are far less common than Windows and Linux, users are advised to only download software from verified sources, stay away from installing unverified programs, and keep their systems up-to-date with the latest security updates.
The spike in macOS malware hasn’t gone unnoticed by Apple, which earlier this month announced an update to its next version of the operating system that aims to increase problems when trying to open software that isn’t properly signed or notarized.
“In macOS Sequoia, users will no longer be able to press Control to override Gatekeeper when opening software that is not properly signed or notarized,” Apple. said. “They will need to visit System Preferences > Privacy & Security to review the software’s security information before allowing it to run.”
