The latest cyber-attack uncovered by security researchers is an information stealer that targets Apple macOS hosts and gathers a wide array of information to reach sensitive computer data. It underscores how threat actors are increasingly targeting the OS as a target.
As of late 2023, malware dubbed Cthulhu Stealer was available as a malware-as-a-service (MaaS) product and was priced at $500 per month as part of a subscription-based price structure.
As far as the architecture is concerned, it can support both x86_64 and Arm platforms.
Several cybersecurity researchers have discovered a new form of macOS malware that can steal user's sensitive data in the most insidious ways. A malware called Cthulhu Stealer has been spotted that impersonates popular applications to infect users with Trojan malware that allows the malware to steal passwords for users' operating systems and the iCloud keychain, as well as cryptocurrency wallets.
A $500/month service offering for bad actors has reportedly been available since late 2023, as part of the Cthulhu Stealer program. It is particularly effective because it can masquerade as legitimate software and thus make itself appear more appealing.
A Cado Security researcher has pointed out that Cthulhu Stealer is an Apple disk image (DMG) that carries two binaries, depending on the architecture of the machine, according to Gould.
Using Golang, the malware disguises itself as a legitimate piece of software and disguises itself as a malicious application.
A few of the software programs it impersonates include CleanMyMac, Grand Theft Auto IV, and Adobe GenP because the last of these is an open-source tool that can patch Adobe apps to bypass Creative Cloud service encryption and use the serial key to activate them without having to create a login account with a creator's account.
A user who launches an unsigned file that has been explicitly allowed to be run – i.e., bypassing Gatekeeper protections – will be prompted to enter their system password when they launch it. In addition to Atomic Stealer, Cuckoo, MacStealer, and Banshee Stealer using this postscript-based approach, other software developers have adopted similar approaches.
Afterwards, a second prompt will appear asking the user to enter their MetaMask password for the third time.
This tool was also designed with the goal of harvesting system information and dumping iCloud Keychain passwords using an open-source tool called Chain Breaker which an anonymous developer developed.
There are several ways the data theft takes place, including through the use of web browser cookies and information from Telegram accounts. This information is compressed and stored in a ZIP file, before being sent to a command-and-control server (C2).
It is believed that the main purpose of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from a wide range of shops and services, including game accounts, to steal information.
The functionality and features of Cthulhu Stealer are very similar to that of Atomic Stealer, which implies that it was probably developed by the same person who modified Atomic Stealer. As users can see from the above paragraph, Atomic Stealer and Cthulhu both use Osascript as a password prompt. Even the spelling mistakes in the two games are identical.
As a result, the threat actors responsible for the malware appear to have vanished, in part due to disagreements over payments, which has led to affiliates accusing the main developer of an exit scam, which has led to him being permanently banned from the cybercrime marketplace he used to advertise the malware in the first place.
It is important to note that Cthulhu Stealer does not have very sophisticated anti-analysis techniques that would allow it to operate stealthily, which could be used to avoid detection.
As well as this, it does not include any features that set it apart from similar underground offerings, apart from the fortress is one issue that affects this.
Malware like Cthulhu Stealer, as well as other software threats like it, can cause far less damage when users take macOS' security features seriously, so they do not fall victim to them.
MacOS is much less commonly targeted by malware threats than Windows or Linux, but users are advised to stay away from downloading software from sources they don't trust, stay away from installing apps that are not verified, and make sure their systems are updated with the latest security measures.
There has been a surge in macOS malware recently and in response Apple announced this week that an update is coming to its next version of the operating system that will add more friction when trying to open software that is not signed correctly or notarized, which will help prevent future outbreaks of macOS malware.