A new macOS data thief is targeting Apple users
Cybersecurity experts at Cado Security have discovered a new information-stealing malware targeting Apple macOS endpoints.
The malware is called Cthulhu Stealer and can steal a variety of data: system credentials, iCloud Keychain passwords (using an open-source tool called Chainbreaker), other login credentials, web browser cookies, and Telegram account information.
Additionally, victims are asked to enter their system password, as well as login credentials for the popular cryptocurrency wallet MetaMask.
A copy of Atomic Stealer
“The main functionality of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various stores, including gaming accounts,” researchers from Cado Security said in their report.
“The functionality and features of Cthulhu Stealer are very similar to those of Atomic Stealer, indicating that the developer of Cthulhu Stealer likely took Atomic Stealer and modified the code. The use of osascript to prompt the user for their password is similar in Atomic Stealer and Cthulhu, even with the same spelling errors.”
According to the researchers, victims are typically tricked into downloading the malware because it is advertised as legitimate software and games, posing as CleanMyMac, Grand Theft Auto IV, and Adobe GenP (an open-source tool that allows Adobe users to bypass Creative Cloud services and activate software without a serial number).
For the malware to work, victims must give explicit permission (since the infostealer must bypass Gatekeeper protection). However, since they expect legitimate software, most victims are likely to give this permission.
Once Cthulhu, which reportedly costs $500 per month to run and works on both x86_64 and Arm architectures, has collected all the interesting information, it compresses it into a .ZIP archive and then exfiltrates it, through unknown means, to a command-and-control (C2) server.
The good news is that the malware is not particularly sophisticated and will likely be picked up by most current antivirus products.