Cybersecurity researchers have revealed another data stealer that is intended to target Apple macOS hosts and collect an extensive variety of data, highlighting how threat actors are increasingly setting their sights on the operating system.
Dubbed Cthulhu Stealer, the malware has been available under a malware-as-a-service (MaaS) model for $500 a month from late 2023. It’s capable of targeting both x86_64 and Arm architectures.
“Cthulhu Stealer is an Apple disk image (DMG) that is bundled with two binaries, depending on the architecture,” Cato Security researcher Tara Gould said. “The malware is written in Golang and disguises itself as legitimate software.”
Some of the software programs it impersonates include CleanMyMac, Grand Theft Auto IV, and Adobe GenP, the last of which is an open-source tool that patches Adobe apps to bypass the Creative Cloud service and activates them without a serial key.
Clients who wind up sending off the unsigned record after explicitly permitting it to be run – i.e., bypassing Guardian securities – are incited to enter their system password, an osascript-based strategy that has beenadopted by Atomic Stealer, Cuckoo, MacStealer, and Banshee Stealer.
In the next step, a second prompt is presented to enter their MetaMask password. Cthulhu Stealer is also designed to harvest system information and dump iCloud Keychain passwords using an open-source tool called Chainbreaker.
The stolen data, which also comprises web browser cookies and Telegram account information, is compressed and stored in a ZIP archive file, after which it’s exfiltrated to a command-and-control (C2) server.
Gould said,”The main functionality of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various stores, including game accounts,”
“The functionality and features of Cthulhu Stealer are very similar to Atomic Stealer, indicating the developer of Cthulhu Stealer probably took Atomic Stealer and modified the code. The use of osascript to prompt the user for their password is similar in Atomic Stealer and Cthulhu, even including the same spelling mistakes.”
The threat actors behind the malware are supposed to be as of now not dynamic, in that frame of mind by disagreements regarding installments that have prompted allegations of l exit scam by affiliates, bringing about the main developer being permanently banned from a cybercrime marketplace used to advertise the stealer.
Cthulhu Stealer isn’t especially complex and lacks anti-analysis techniques that could allow it to operate stealthily It is also short of any standout feature that separates it from other comparative contributions in the underground.
While threats to macOS are substantially less common than to Windows and Linux, clients are encouraged to download software only from trusted sources, avoid introducing unsubstantiated applications, and stay up with the latest with the most recent security updates.
The surge in macOS malware hasn’t gone unnoticed by Apple, which, earlier this month, announced an update to its next version of the operating system that aims to add more friction when attempting to open software that isn’t signed correctly or notarized.
“In macOS Sequoia, clients can never again Control-click to override Gatekeeper when opening software that isn’t signed correctly or notarized” Apple said. “They’ll have to visit system Settings > Protection and Security to audit security data for software prior to permitting it to run.”
