Cybersecurity experts at Cado Security have discovered a new information-stealing malware that attacks Apple macOS endpoints.
The malware is called Cthulhu Stealer and is capable of stealing all kinds of data: system information, iCloud Keychain passwords (using an open-source tool called Chainbreaker), other login credentials, web browser cookies, and Telegram account information.
Additionally, it asks victims to enter their system password as well as login details for the popular MetaMask cryptocurrency wallet.
A copy of Atomic Stealer
“The main functionality of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various stores, including gaming accounts,” Cado Security researchers said in their report.
“The functionality and features of Cthulhu Stealer are very similar to those of Atomic Stealer, indicating that the developer of Cthulhu Stealer likely took Atomic Stealer and modified the code. The use of osascript to prompt the user for their password is similar in Atomic Stealer and Cthulhu, including the same typos.”
Victims are typically tricked into downloading the malware, the researchers added, as it is promoted as legitimate software and games, posing as CleanMyMac, Grand Theft Auto IV, and Adobe GenP (an open-source tool that allows Adobe users to bypass Creative Cloud services and activate software without a serial key).
For the malware to work, victims must give explicit consent (as the information stealer must get past Gatekeeper protections). However, since they expect the software to be legitimate, most victims will likely give their consent.
Once Cthulhu, which apparently costs $500 a month to run and works on both x86_64 and Arm architectures, takes all the interesting information, compresses it into a .ZIP file, and then exfiltrates it, via unknown means, to a command and control (C2) server.
The good news is that the malware is not particularly advanced and will likely be detected by most of the best antivirus products available today.
