Cthulhu Stealer: A New Malware Threat Targets macOS Users’ Data
Introduction
As cybersecurity threats continue to evolve, macOS users are increasingly becoming the target of sophisticated attacks. A newly discovered malware, dubbed "Cthulhu Stealer," is the latest example of how threat actors are focusing their efforts on Apple’s operating system. This blog delves into the details of Cthulhu Stealer, its methods of operation, and the steps macOS users can take to safeguard their data.
The Rise of Cthulhu Stealer: A New Threat to macOS
Cthulhu Stealer is a newly identified piece of malware designed specifically to infiltrate macOS systems. Unlike typical Windows-targeted threats, this malware highlights a growing trend of cybercriminals aiming their attacks at Apple’s ecosystem. First available as malware-as-a-service (MaaS) for $500 a month since late 2023, Cthulhu Stealer is capable of compromising both x86_64 and Arm architectures, making it a versatile tool for malicious actors.
How Cthulhu Stealer Operates
Cthulhu Stealer is distributed as an Apple disk image (DMG) that contains binaries tailored to the architecture of the target system. The malware is written in Golang, a programming language known for its efficiency in creating cross-platform applications. It masquerades as legitimate software, with common decoy programs including CleanMyMac, Grand Theft Auto IV, and Adobe GenP—a tool used to bypass Adobe’s Creative Cloud service.
When users download and run the unsigned file, bypassing macOS’s Gatekeeper protections, they are prompted to enter their system password. This osascript-based technique has been observed in other macOS malware, such as Atomic Stealer, Cuckoo, and MacStealer. In the case of Cthulhu Stealer, a second prompt is often presented, requesting the user’s MetaMask password, which further broadens the scope of compromised data.
Data Harvesting and Exfiltration
Once inside the system, Cthulhu Stealer performs a thorough harvest of sensitive information. It targets:
- System Information: Collecting detailed data about the victim’s device.
- iCloud Keychain Passwords: Using an open-source tool called Chainbreaker to dump passwords.
- Web Browser Cookies: Gaining access to stored credentials and session tokens.
- Telegram Account Information: Extracting data related to the user's Telegram account.
The collected data is then compressed into a ZIP archive and sent to a command-and-control (C2) server controlled by the attackers.
Similarities with Other Malware
Cthulhu Stealer shares a striking resemblance to another known macOS threat—Atomic Stealer. The similarities in functionality, particularly the use of osascript to prompt for passwords, suggest that Cthulhu Stealer may have been developed by modifying Atomic Stealer’s code. Despite these similarities, Cthulhu Stealer lacks advanced anti-analysis techniques and distinguishing features, making it a less sophisticated but still dangerous threat.
The End of Cthulhu Stealer?
Interestingly, the threat actors behind Cthulhu Stealer are reported to be no longer active. Internal disputes over payments led to accusations of an exit scam, resulting in the main developer being banned from a key cybercrime marketplace. However, the existence of Cthulhu Stealer underscores the importance of vigilance, as similar threats could easily emerge in the future.
Protecting Your macOS System
Although macOS has historically been less targeted by malware compared to Windows or Linux, the rise of threats like Cthulhu Stealer highlights the need for enhanced security practices:
- Download Software from Trusted Sources: Avoid downloading software from unverified websites or sources. Stick to the Mac App Store or reputable vendors.
- Keep Your System Updated:Regularly update your macOS to ensure you have the latest security patches.
- Be Cautious of Unsigned Software: Be wary of running applications that are not signed or notarized by Apple, and never bypass Gatekeeper protections without fully understanding the risks.
- Strengthen Your Security Settings: Utilize macOS’s built-in security features, such as enabling Gatekeeper and using System Settings > Privacy & Security to review and control application access.
Apple's Response: Enhanced Security in macOS Sequoia
Apple is not standing idle in the face of these evolving threats. In response to the surge in macOS malware, Apple has announced additional security measures in its upcoming macOS Sequoia update. One key feature will remove the ability to Control-click and override Gatekeeper for software that isn’t properly signed or notarized, adding another layer of protection for users.
Conclusion
The discovery of Cthulhu Stealer serves as a reminder that no operating system is immune to cyber threats. macOS users must remain vigilant and proactive in securing their systems against such attacks. By adopting best practices and staying informed about the latest security updates, you can protect your data from the growing number of threats targeting Apple devices.
About Foresiet!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Protect your brand, reputation, data, and systems with Foresiet's Integrated Digital Risk Platform. 24/7/365 threat monitoring for total peace of mind.
Sept. 12, 2024, 11:59 p.m.
Sept. 12, 2024, 11:49 p.m.