Cthulhu Stealer: New Malware Threatens macOS Users
Researchers at Cado Security have discovered a new piece of malware targeting macOS users. This malware, named “Cthulhu Stealer,” is designed to harvest a wide range of data from Apple devices, highlighting the increasing focus of cybercriminals on this platform.
Cthulhu Stealer has been circulating since late 2023 under the “Malware-as-a-Service” (MaaS) model, with a subscription fee of $500 per month. It operates on both x86_64 and Arm architectures. The malware disguises itself as legitimate software, including popular applications like CleanMyMac and even the video game Grand Theft Auto IV. The attack leverages an Apple Disk Image (DMG) containing two binary files tailored for different architectures.
The primary threat lies in users who decide to run an unsigned file, thereby bypassing Gatekeeper protection and entering their system password.
The malware is also capable of requesting the MetaMask password, making it particularly dangerous for cryptocurrency wallet owners. Cthulhu Stealer gathers system information and extracts passwords from the iCloud Keychain using an open-source tool called Chainbreaker.
The collected data, including web browser cookies and Telegram account information, is compressed into an archive and sent to the attackers’ server. The main objectives of this malware are to steal credentials, cryptocurrency wallets, and gaming accounts.
According to Cado Security, Cthulhu Stealer shares many similarities with another well-known piece of malware, Atomic Stealer. It is likely that the developer of Cthulhu Stealer based their code on Atomic Stealer and made modifications.
At present, the perpetrators behind Cthulhu Stealer have ceased their activities. Internal conflicts and disputes over payments led to accusations of fraud, resulting in the main developer being permanently banned from the cybercriminal marketplace where this malware was promoted.
Although Cthulhu Stealer is neither highly sophisticated nor unique in its capabilities, its existence underscores the growing interest in the macOS platform among cybercriminals. Users are advised to download software only from trusted sources, avoid installing unverified applications, and regularly update their systems.
Apple has also taken note of the rising threats to macOS and recently announced security enhancements in the upcoming version of the operating system. In macOS Sequoia, users will no longer be able to bypass Gatekeeper protection via Control-click to run unsigned software.
Instead, they will need to navigate to “System Settings” and manually authorize the launch of suspicious programs, which may help shield less experienced users from inadvertently infecting their macOS devices.
