Cybersecurity researchers have uncovered a new information stealer that’s designed to target Apple macOS hosts and harvest a wide range of information, underscoring how threat actors are increasingly setting their sights on the operating system.
Dubbed Cthulhu Stealer, the malware has been available under a malware-as-a-service (MaaS) model for $500 a month from late 2023. It’s capable of targeting both x86_64 and Arm architectures.
“Cthulhu Stealer is an Apple disk image (DMG) that is bundled with two binaries, depending on the architecture,” Cato Security researcher Tara Gould said. “The malware is written in Golang and disguises itself as legitimate software.”
Some of the software programs it impersonates include CleanMyMac, Grand Theft Auto IV, and Adobe GenP, the last of which is an open-source tool that patches Adobe apps to bypass the Creative Cloud service and activates them without a serial key.
Users who end up launching the unsigned file after explicitly allowing it to be run – i.e., bypassing Gatekeeper protections – are prompted to enter their system password, an osascript-based technique that has been adopted by Atomic Stealer, Cuckoo, MacStealer, and Banshee Stealer.
In the next step, a second prompt is presented to enter their MetaMask password. Cthulhu Stealer is also designed to harvest system information and dump iCloud Keychain passwords using an open-source tool called Chainbreaker.
The stolen data, which also comprises web browser cookies and Telegram account information, is compressed and stored in a ZIP archive file, after which it’s exfiltrated to a command-and-control (C2) server.
“The main functionality of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various stores, including game accounts,” Gould said.
“The functionality and features of Cthulhu Stealer are very similar to Atomic Stealer, indicating the developer of Cthulhu Stealer probably took Atomic Stealer and modified the code. The use of osascript to prompt the user for their password is similar in Atomic Stealer and Cthulhu, even including the same spelling mistakes.”
The threat actors behind the malware are said to be no longer active, in part driven by disputes over payments that have led to accusations of exit scam by affiliates, resulting in the main developer being permanently banned from a cybercrime marketplace used to advertise the stealer.
Cthulhu Stealer isn’t particularly sophisticated and lacks anti-analysis techniques that could allow it to operate stealthily. It is also short of any standout feature that distinguishes it from other similar offerings in the underground.
While threats to macOS are much less prevalent than to Windows and Linux, users are advised to download software only from trusted sources, stay away from installing unverified apps, and keep their systems up-to-date with the latest security updates.
The surge in macOS malware hasn’t gone unnoticed by Apple, which, earlier this month, announced an update to its next version of the operating system that aims to add more friction when attempting to open software that isn’t signed correctly or notarized.
“In macOS Sequoia, users will no longer be able to Control-click to override Gatekeeper when opening software that isn’t signed correctly or notarized,” Apple said. “They’ll need to visit System Settings > Privacy & Security to review security information for software before allowing it to run.”
