A recently discovered malware, dubbed “Cthulhu Stealer,” is targeting macOS users by attempting to steal sensitive data, including passwords and cryptocurrency wallets. Cado Security reported this new threat, which disguises itself as legitimate software, making it especially dangerous.
How Cthulhu Stealer operates
Cado Security has provided details on how this malware works. The Cthulhu Stealer arrives as an Apple disk image (.dmg) containing two binaries tailored for different system architectures. Written in Golang, the malware presents itself as genuine software. When users mount the .dmg file, they are prompted to open the software. Once the file is opened, the malware leverages osascript, macOS's command-line tool for running AppleScript and JavaScript, to prompt the user to enter their password.
Following this initial deception, the malware presents a second prompt asking for the user's MetaMask password, a tactic seen in other similar malware like Cuckoo, Atomic Stealer, and Banshee Stealer. However, Cthulhu Stealer takes things a step further by gathering system data and attempting to erase users' iCloud Keychain passwords through a tool called Chainbreaker.
The disguise that makes it dangerous
Cthulhu Stealer's ability to masquerade as a well-known software application is particularly concerning. By exploiting Apple's disk image files, it can appear in popular programs like AdobeGenP, CleanMyMac, and even Grand Theft Auto IV. The AdobeGenP application, for instance, is known to allow users to bypass entering a serial key or paying for a Creative Cloud subscription, making it an attractive target for unsuspecting users.
Once Cthulhu Stealer has infiltrated your system, it collects a wide range of data, including Telegram account information and web browser cookies. This data is then compressed into a ZIP archive and sent to a command-and-control (C2) server where the attackers operate. Interestingly, the malware shares some features with Atomic Stealer, including similar spelling errors, suggesting that the developer might have reused code with slight modifications.
Staying safe in a rising-threat landscape
To protect yourself from this growing threat, you must be vigilant about where you download your software. Stick to reputable sources and ensure your Mac always runs the latest macOS version. Adding a legitimate antivirus program for Macs is also a wise precaution.
Apple is aware of the increasing threat of Mac malware and has responded by implementing crucial security updates. With the release of macOS Sequoia, Apple has removed the ability to override Gatekeeper by Control-clicking on software that isn't properly signed or notarized. To further secure your system, you'll need to go to System Settings > Privacy & Security to check the security information of any software before running it.
