BIGFISH TECHNOLOGY LIMITED
23 August 2024

The new macOS malware "Cthulhu Stealer" targets Apple users' data.

Cybersecurity researchers have discovered a new information stealer designed to target Apple macOS hosts and collect a wide range of data, highlighting how threat actors are increasingly focusing on the operating system.

The virus, dubbed Cthulhu Stealer, has been accessible as a malware-as-a-service (MaaS) model for $500 per month from late 2023. It can target both x86_64 and Arm architectures.

"Cthulhu Stealer is an Apple disk image (DMG) that is bundled with two binaries, depending on the architecture," Cato Security researcher Tara Gould explained. "The malware is written in Golang and disguises itself as legitimate software."

Some of the software products it impersonates include CleanMyMac, Grand Theft Auto IV, and Adobe GenP. The latter is an open-source tool that

Users who start the unsigned file after expressly letting it to run, so evading Gatekeeper security, are requested to input their system password, an osascript-based approach used by Atomic Stealer, Cuckoo, MacStealer, and Banshee Stealer.

In the following stage, they are prompted to input their MetaMask password again. Cthulhu Stealer is also intended to gather system information and reveal iCloud Keychain passwords via an open-source application called Chainbreaker.

The stolen data, which includes web browser cookies and Telegram account information, is compressed and saved in a ZIP archive file before being transmitted to a command-and-control (C2) server.

"The main functionality of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various stores, including game accounts," Gould informed me.

"The functionality and features of Cthulhu Stealer are remarkably similar to Atomic Stealer, implying that the developer of Cthulhu Stealer likely grabbed Atomic Stealer and updated the code. The usage of osascript to prompt the user for their password is similar in Atomic Stealer and Cthulhu, even with spelling errors."

The threat actors behind the malware are claimed to be no longer operational, owing to payment conflicts that led to charges of exit fraud by affiliates, resulting in the main developer's permanent removal from a cybercrime marketplace used to advertise the stealer.

Cthulhu Stealer is not extremely complex, and it lacks anti-analysis mechanisms that would let it to function stealthily. It also lacks a distinguishing trait that sets it apart from other similar offerings in the underground.

While threats to macOS are significantly less common than those to Windows and Linux, users should download software only from reputable sources, avoid installing unverified programs, and keep their systems up to date with the most recent security upgrades.

Apple has taken note of the increase in macOS malware, and earlier this month announced an update to its next edition of the operating system that tries to increase friction when attempting to open software that isn't properly signed or notarized.

"In macOS Sequoia, users will no longer be able to Control-click to override Gatekeeper when opening software that isn't signed correctly or notarized," the company announced. "They'll need to visit System Settings > Privacy & Security to review security information for software before allowing it to run."

 

Source: The Hacker News