More potent and advanced macOS malware stress is profitably distributed among criminals.
Cthulhu Stealer at work [Cado Security]
Researchers have discovered a new macOS malware that steals data. “Cthulhu Stealer”, sold to online criminals at $500 per month, is the latest example. Researchers are warning that the Mac is becoming a more popular target for malware. In the latest instance, it’s malware that has been around for quite a while. According to Cato Security, and as reported by Hacker News Friday, “Cthulu Stealer”, the malware known as has been around since 2023. Consisting of “Malware-as-a-Service,” it was able to be used by online criminals for a mere $500 per month. The malware is a disk image from Apple that contains two binaries. It could attack Intel and Apple Silicon Macs depending on the architecture detected. The malware was disguised to entice users to open it. This included Grand Theft Auto IV, CleanMyMac, and other software. It also appeared as Adobe GenP – a tool to patch Adobe apps without relying on a paid security code from Creative Cloud. The alleged contents was a ploy used to convince users to run the unsigned file after bypassing Gatekeeper. The users are asked to enter a password that is both their system password and the password for MetaMask’s cryptocurrency wallet. These passwords allow the theft of system information, iCloud Keychain credentials, web browser cookies, and Telegram account details. The data is sent to a control system. Tara Gould, a Cato Security researcher, said that the main functionality of Cthulhu stealer is to steal credentials and crypto wallets from different stores including game accounts. The malware was found to be similar to a malware previously discovered under the name “Atomic Stealer.” Cthulu Stealer is believed to have been created by someone who used the code from Atomic Stealer. The main evidence is an OSA script which asks for the password of the user. It has the same spelling errors. Cthulhu stealer’s creators are unable to manage the malware, which is unusual for discovered malware. This appears to be due to payment disputes. The developer was permanently banned from the cybercrime marketplace which advertised the tool after accusations of exit scams that affected other users. Users don’t need to do much to protect themselves against Cthulhu Stealer due to ownership control issues. As always, it is important to be cautious about which apps you download and make sure they come from a safe source. Gatekeeper can be easily overridden in macOS Sonoma or earlier releases. Users of macOS Sequoia will not be able to Control-click Gatekeeper in order to override it. Instead, they will need to go to System Settings, then Privacy & Security, to view the security information for a particular software. This change should reduce the instances where Gatekeeper has been bypassed by simply adding more obstacles. Nevertheless, users should pay attention to Gatekeeper’s objections when installing or running apps.