Cybersecurity researchers have identified a new macOS-targeted malware called Cthulhu Stealer, which is designed to harvest a variety of sensitive information from Apple devices. Available under a malware-as-a-service (MaaS) model for $500 per month since late 2023, this malware targets both x86_64 and Arm architectures. It disguises itself as legitimate software, including programs like CleanMyMac and Adobe GenP, and tricks users into entering system passwords by bypassing Gatekeeper protections.
Once installed, Cthulhu Stealer collects system information, iCloud Keychain passwords, web browser cookies, and Telegram account data, which it then compresses and exfiltrates to a command-and-control server. The malware shares similarities with Atomic Stealer, particularly in its use of osascript to prompt users for passwords, indicating that the Cthulhu Stealer developer may have modified Atomic Stealer’s code.
The developers behind Cthulhu Stealer have become inactive, partly due to disputes over payments that led to accusations of an exit scam. This inactivity resulted in the main developer being banned from a cybercrime marketplace. Despite its capabilities, Cthulhu Stealer lacks advanced anti-analysis techniques and does not have standout features that distinguish it from other similar malware offerings.
The rise in macOS-targeted threats like Cthulhu Stealer has not gone unnoticed by Apple. The company has announced an update to its macOS Sequoia operating system to add more security measures, making it more difficult to bypass Gatekeeper protections. Apple advises users to download software only from trusted sources, avoid unverified apps, and keep their systems updated with the latest security patches.
Reference:
