Cybersecurity experts from Cado Security have uncovered a new information-stealing malware, targeting Apple macOS endpoints.
The malware is called Cthulhu Stealer, and is capable of stealing all sorts of data – system information, iCloud Keychain passwords (using an open-source tool called Chainbreaker), other login credentials, web browser cookies, and Telegram account information.
Furthermore, it prompts victims to enter their system password, as well as login details for the popular MetaMask cryptocurrency wallet.
A copy of Atomic Stealer
“The main functionality of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various stores, including game accounts,” Cado Security’s researchers said in their report.
“The functionality and features of Cthulhu Stealer are very similar to Atomic Stealer, indicating the developer of Cthulhu Stealer probably took Atomic Stealer and modified the code. The use of osascript to prompt the user for their password is similar in Atomic Stealer and Cthulhu, even including the same spelling mistakes.”
Victims are usually tricked into downloading the malware, the researchers added, as it is advertised as legitimate software and games, posing as the likes of CleanMyMac, Grand Theft Auto IV, and Adobe GenP (an open source tool that allows Adobe users to work around Creative Cloud services and activate the software without a serial key).
For the malware to work, the victims need to give explicit consent (since the infostealer needs to make it past Gatekeeper protections). However, since they expect legitimate software, most victims probably grant this consent.
Once Cthulhu, which apparently costs $500 a month to run and works on both x86_64, and Arm architecture, grabs all the interesting information, it compresses it into a .ZIP archive and then exfiltrates, by unknown means, to a command-and-control (C2) server.
The good news is that the malware isn’t particularly advanced, and will probably picked up by most of the best antivirus products available today.
