TLDR:
- Innovative macOS malware, known as “Cthulhu Stealer,” has set its sights on accessing data from Apple users
- The malware cleverly disguises as trusted software titles like CleanMyMac and Adobe GenP
- Designed to extract crypto wallets, stored passwords, and various critically sensitive details
- This threat is marketed as a service for cybercriminals, priced at $500 per month
- Apple is strategizing to strengthen Gatekeeper security with the release of macOS Sequoia
Recently, security experts have spotted a new malware strain targeting Apple’s macOS systems, sparking concern. Named “Cthulhu Stealer,” This harmful software poses a notable risk to Mac users' confidential data and digital investments.
Introduced in late 2023, Cthulhu Stealer is available on the dark web as a subscription service offered to cybercriminals for $500 each month.
This service model empowers multiple malicious users to unleash the malware on unsuspecting Mac users.
The malware sneaks onto systems by pretending to be well-known software, conning users into installing it. Disguises often include CleanMyMac, Grand Theft Auto IV, and Adobe GenP, and it typically appears as an Apple disk image (DMG) file, creating an aura of authenticity.
Upon an attempt to start the fake application, macOS’s intrinsic security, Gatekeeper, alerts users of the software's unsigned nature.
However, should the user choose to dismiss this warning, the malware quickly asks for the system password, pretending to be a legitimate system notification. This tactic mirrors techniques seen in other malicious Mac programs like Atomic Stealer and MacStealer.
If granted system privileges, Cthulhu Stealer gains access to an extensive array of confidential information. It specifically preys on well-known cryptocurrency wallets, such as MetaMask, Coinbase, Wasabi, Electrum, Atomic, Binance, and Blockchain Wallet.
Additionally, it retrieves passwords stored within iCloud Keychain, browsing data, and even extracts information from Telegram accounts.
Cthulhu Stealer is programmed to target both x86_64 and Arm systems, thereby posing a threat to various Mac versions. It employs different strategies to gather system info, including locating IP addresses and the operating system version.
The harvested data is compressed into a ZIP archive before being transferred to an attacker-controlled command-and-control (C2) server.
This encompassing theft of data exposes users to financial jeopardy, identity fraud, and diverse cybersecurity threats.
Although Cthulhu Stealer might not stand out as highly advanced or stealthy, its comprehensive capacity to collect data makes it a significant concern.
The resemblance this malware bears to prior threats like Atomic Stealer indicates that cyber attackers are continuously refining their tools to exploit macOS users.
To counteract the increasing malware menace, Apple has disclosed planned upgrades to fortify security within the forthcoming macOS Sequoia.
These upgrades will make bypassing Gatekeeper defenses more challenging, requiring users to scrutinize security settings in System Preferences before granting access to unsigned software.
To protect against risks such as Cthulhu Stealer, cybersecurity authorities advise Mac users to exclusively download applications from trustworthy sources like the App Store or official developer sites.
Users should be vigilant about any app that requests their system password during its installation process and ensure their operating systems receive timely security updates from Apple.
