Aug 23, 2024Ravie LakshmananEndpoint Security / Data Privacy
Cybersecurity researchers have uncovered a new information stealer, the Cthulhu Stealer, designed to target Apple macOS hosts and harvest a wide range of information. This underscores the increasing focus of threat actors on the macOS operating system.
Available under a malware-as-a-service (MaaS) model for $500 a month since late 2023, the malware is capable of targeting both x86_64 and Arm architectures.
“Cthulhu Stealer is an Apple disk image (DMG) that is bundled with two binaries, depending on the architecture,” explained Cato Security researcher Tara Gould. “The malware is written in Golang and disguises itself as legitimate software.”
Some of the software programs it impersonates include CleanMyMac, Grand Theft Auto IV, and Adobe GenP.
Users who launch the unsigned file after allowing it to run are prompted to enter their system password, utilizing an osascript-based technique. The malware is also designed to harvest system information and iCloud Keychain passwords.
The stolen data, including web browser cookies and Telegram account information, is compressed, stored, and exfiltrated to a command-and-control (C2) server.
Cthulhu Stealer is primarily focused on stealing credentials and cryptocurrency wallets from various sources, including game accounts. Its functionality is similar to Atomic Stealer, indicating potential code modifications from the latter.
The threat actors behind Cthulhu Stealer are reportedly inactive, with disputes over payments leading to accusations of exit scams and banning from cybercrime marketplaces.
Despite its lack of sophistication and stealth features, users are advised to be cautious when downloading software, avoid unverified apps, and keep systems updated with the latest security patches.
Apple has taken note of the increase in macOS malware and is implementing stricter measures in macOS Sequoia to prevent the execution of unsigned or notarized software without explicit user consent.
Stay updated with the latest cybersecurity news by following us on Twitter and LinkedIn.