A new macOS data stealer is going after Apple users
Cthulhu Stealer is capable of grabbing passwords, system data, and more.
Cybersecurity experts from Cado Security have uncovered a new information-stealing malware, targeting Apple macOS endpoints.
The malware is called Cthulhu Stealer, and is capable of stealing all sorts of data - system information, iCloud Keychain passwords (using an open-source tool called Chainbreaker), other login credentials, web browser cookies, and Telegram account information.
Furthermore, it prompts victims to enter their system password, as well as login details for the popular MetaMask cryptocurrency wallet.
A copy of Atomic Stealer
"The main functionality of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various stores, including game accounts," Cado Security’s researchers said in their report.
"The functionality and features of Cthulhu Stealer are very similar to Atomic Stealer, indicating the developer of Cthulhu Stealer probably took Atomic Stealer and modified the code. The use of osascript to prompt the user for their password is similar in Atomic Stealer and Cthulhu, even including the same spelling mistakes."
Victims are usually tricked into downloading the malware, the researchers added, as it is advertised as legitimate software and games, posing as the likes of CleanMyMac, Grand Theft Auto IV, and Adobe GenP (an open source tool that allows Adobe users to work around Creative Cloud services and activate the software without a serial key).
For the malware to work, the victims need to give explicit consent (since the infostealer needs to make it past Gatekeeper protections). However, since they expect legitimate software, most victims probably grant this consent.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Once Cthulhu, which apparently costs $500 a month to run and works on both x86_64, and Arm architecture, grabs all the interesting information, it compresses it into a .ZIP archive and then exfiltrates, by unknown means, to a command-and-control (C2) server.
The good news is that the malware isn’t particularly advanced, and will probably picked up by most of the best antivirus products available today.
More from TechRadar Pro
- Mac users targeted in new malvertising campaign delivering Atomic Stealer
- Here's a list of the best firewall software around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.