Cthulhu Stealer, a newly discovered malware component, is targeting macOS users and attempting to steal valuable information. This malicious software focuses on stealing sensitive information such as passwords and cryptocurrency wallets, putting users at risk of serious security breaches.
Threats like Silver Sparrow, KeRanger, and Atomic Stealer emerge, macOS users become more aware of their system’s vulnerabilities. Cado Security found the Cthulhu Stealer, a new type of malware-as-a-service (MaaS), which adds to this concerning trend.
This malware, available for rent at $500 per month, specifically targets macOS users with the intent to steal sensitive data. The malware poses as a number of different software applications, such as Adobe GenP, Grand Theft Auto IV, and CleanMyMac. Adobe GenP, an open-source tool, bypasses Adobe’s Creative Cloud service and activates apps without requiring a serial key.
A New macOS Malware that Uses Disc Images to Steal Passwords
The method of distribution of the Cthulhu Stealer takes the form of an Apple disc image (.dmg) with two binaries that are optimised for the ARM and x86_64 architectures. This malware, written in Golang, disguises itself as valid software.
A prompt to launch the program appears when users mount the disc image. After doing so, the malware asks the user for their password using macOS’s osascript, a command-line utility for executing JavaScript and AppleScript.
A second popup asking for the user’s MetaMask password shows after they’ve entered their password. The malware then makes a directory called “/Users/Shared/NW” in which it saves text files with the credentials.
It exports Keychain passwords to a file called Keychain.txt by using Chainbreak to dump information. Additionally, a message about the new logs is delivered to the command-and-control (C2) server.
The malware collects information about the victim’s system, including hardware and software specs, OS version, system name, IP address (which is obtained via ipinfo.io), and fingerprints the machine.
Following its intrusion, Cthulhu Stealer gathers a variety of information, such as cookies from web browsers and Telegram account details. Once compressed, this data is transferred to the C2 server in the form of a ZIP package.
The malware has the ability to take several kinds of data from a number of sources. Because it can access browser cookies, attackers can take control of user sessions and get passwords that have been saved.
Targeting Cryptocurrency Wallets and Gaming Accounts
Cthulhu Stealer exhibits a particular focus on financial information by targeting a wide range of cryptocurrency wallets, including Coinbase, MetaMask, Wasabi, Binance, Daedalus, Electrum, Atomic, Harmony, Enjin, Hoo, Dapper, Coinomi, Trust, Blockchain, and XDeFi.
The malware also targets particular programs and services, potentially interfering with private and public gaming activities by collecting information from user accounts on Minecraft, Battle.net, and Telegram’s Tdata account.
It can also retrieve passwords from SafeStorage and Keychain. Interestingly, Cthulhu Stealer and Atomic Stealer have a lot in common, which suggests their developer may have been the same. Both password stealers ask users for their credentials using the macOS command-line program osascript, even reusing the same typos in their requests.
Reports indicate that the threat actors behind Cthulhu Stealer have ceased operations, partly due to payment disputes. The primary developer was permanently banned from a cybercrime marketplace where the stealer was promoted, leading affiliates to accuse him of running an exit scam.
Cthulhu Stealer lacks the anti-analysis techniques that would allow it to operate covertly and does not possess any unique features that differentiate it from other similar products on the underground market.
Enable macOS’s built-in security measures, such as Gatekeeper, to prevent unofficial software installations. Update your operating system and programs on a regular basis with the most recent security updates.
In response to a rise in macOS malware, Apple recently released an operating system update that improves security when opening software that has not been properly signed or notarised.
Reducing an organisation’s susceptibility to a successful attack should be at the forefront of any cyber-risk decision making as we move into this next phase of attack sophistication and complexity. Continuously phishing and security awareness training is an important aspect to helping satisfy the first side of the information security triangle which consists of “people”, “process” and “technology.
