A new macOS data stealer is going after Apple users

Cybersecurity experts from Cado Security have discovered a new piece of information-stealing malware targeting Apple macOS devices. This malware, named Cthulhu Stealer, is designed to steal a wide range of data, including system information, iCloud Keychain passwords (using an open-source tool called Chainbreaker), other login credentials, web browser cookies, and even Telegram account details.

In addition to this, Cthulhu Stealer tricks victims into entering their system passwords and the login credentials for MetaMask, a popular cryptocurrency wallet.

Advertisement

According to Cado Security’s researchers, Cthulhu Stealer’s primary goal is to steal credentials and cryptocurrency wallets from various sources, including game accounts. The malware shares many similarities with another known malware, Atomic Stealer, leading the researchers to believe that Cthulhu Stealer might be a modified version of it. For example, both use a script called osascript to prompt users for their passwords, and both contain the same spelling mistakes, further hinting at a connection between the two.

Victims typically download Cthulhu Stealer thinking it’s legitimate software or a game, as it’s often disguised as popular programs like CleanMyMac, Grand Theft Auto IV, or Adobe GenP, an open-source tool that bypasses Adobe’s Creative Cloud services. To run, the malware needs the victim’s explicit consent due to macOS’s Gatekeeper protections. Unfortunately, since users believe they’re installing legitimate software, they often unknowingly grant this consent.

Once Cthulhu Stealer has collected the targeted data, it compresses it into a .ZIP file and sends it to a command-and-control (C2) server, although the exact method of exfiltration remains unknown. The malware reportedly costs around $500 per month to operate and is compatible with both x86_64 and Arm architectures.

The silver lining is that Cthulhu Stealer is not particularly sophisticated, meaning most top antivirus software should be able to detect and block it.