Cybersecurity researchers have identified a new information-stealing malware targeting Apple macOS systems, highlighting the growing focus of threat actors on the operating system.
Known as Cthulhu Stealer, this malware has been offered as malware-as-a-service (MaaS) for $500 per month since late 2023. It can target both x86_64 and Arm architectures.
"Cthulhu Stealer is an Apple disk image (DMG) that is bundled with two binaries, depending on the architecture," said Tara Gould, a researcher at Cato Security. "The malware is written in Golang and disguises itself as legitimate software."
The malware impersonates several software programs, including CleanMyMac, Grand Theft Auto IV, and Adobe GenP—an open-source tool that bypasses Adobe's Creative Cloud service to activate apps without a serial key.
Users who execute the unsigned file, bypassing Gatekeeper protections, are prompted to enter their system password. This method, which relies on an osascript-based technique, is similar to that used by other malware like Atomic Stealer, Cuckoo, MacStealer, and Banshee Stealer.
The next step involves a prompt for the user's MetaMask password. Cthulhu Stealer also collects system information and extracts iCloud Keychain passwords using an open-source tool called Chainbreaker.
The stolen data, which includes web browser cookies and Telegram account information, is compressed into a ZIP file and then sent to a command-and-control (C2) server. "The main functionality of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various stores, including game accounts," Gould noted.
"The functionality and features of Cthulhu Stealer are very similar to Atomic Stealer, indicating the developer of Cthulhu Stealer probably took Atomic Stealer and modified the code. The use of osascript to prompt the user for their password is similar in Atomic Stealer and C