New macOS Malware "Cthulhu Stealer" Targets Data of Apple Users

Cybersecurity researchers have identified a new information-stealing malware targeting Apple macOS systems, highlighting a growing trend where threat actors focus more on this operating system. The malware, named Cthulhu Stealer, operates under a malware-as-a-service (MaaS) model, available for $500 per month since late 2023. It is capable of targeting both x86_64 and Arm architectures.

Tara Gould, a researcher at Cato Security, revealed that Cthulhu Stealer is distributed as an Apple disk image (DMG), which includes two binaries depending on the system architecture. The malware is written in Golang and masquerades as legitimate software, including popular programs like CleanMyMac, Grand Theft Auto IV, and Adobe GenP. The latter is an open-source tool used to bypass Adobe’s Creative Cloud service and activate applications without a serial key.

Victims who inadvertently execute the unsigned file—after bypassing Gatekeeper protections—are prompted to enter their system password through an osascript-based technique. This method is commonly used by other malware like Atomic Stealer, Cuckoo, MacStealer, and Banshee Stealer. Following this, users are also asked to provide their MetaMask password.

Cthulhu Stealer is designed to gather system information and extract iCloud Keychain passwords using an open-source tool called Chainbreaker. The stolen data, encompassing web browser cookies and Telegram account details, is compressed into a ZIP file and transmitted to a command-and-control (C2) server.

The primary goal of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various sources, including game accounts. According to Gould, the functionality of Cthulhu Stealer closely resembles that of Atomic Stealer, suggesting that the developers likely modified Atomic Stealer's code. Both use osascript to prompt users for their passwords, and even contain the same spelling mistakes.

Reports indicate that the threat actors behind Cthulhu Stealer are no longer active, partly due to disputes over payments, which led to accusations of an exit scam by affiliates. As a result, the main developer was permanently banned from a cybercrime marketplace where the stealer was being advertised.

Despite its abilities, Cthulhu Stealer is not particularly sophisticated. It lacks anti-analysis techniques that would allow it to evade detection and does not have any standout features compared to other similar malware.

Although macOS malware is less common than threats to Windows and Linux, users are strongly advised to download software only from trusted sources, avoid installing unverified apps, and keep their systems up-to-date with the latest security updates.

Apple has recognized the increasing threat of macOS malware. Earlier this month, the company announced that its upcoming operating system version, macOS Sequoia, will introduce stricter measures to prevent the execution of unsigned or non-notarized software. Specifically, users will no longer be able to Control-click to override Gatekeeper; instead, they must navigate to System Settings > Privacy & Security to review and approve security information before allowing the software to run.