Cado Security researchers have discovered a malware-as-a-service (MaaS) targeting macOS users dubbed Cthulhu Stealer.
Cthulhu Stealer targets macOS users via an Apple disk image (DMG) that disguises itself as legitimate software. The researchers spotted Cthulhu Stealer impersonating disk images of legitimate software such as Adobe GenP,
CleanMyMac, and Grand Theft Auto IV.The malicious code is written in GoLang, upon mounting the dmg it prompts users to enter their system and MetaMask passwords using the macOS osascript
tool.
Once the user inputs their credentials, the malware stores them in a directory and uses Chainbreak to dump Keychain passwords. Then the malware creates a zip archive of the stolen data, which includes system and network information, and sends a notification to a command-and-control (C2) server. The malware also gathers system info, including IP address and hardware/software information.
“The main functionality of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various stores, including game accounts. Shown in Figure 10, there are multiple checker functions that check in the installation folders of targeted file stores, typically in “Library/Application Support/[file store]”.” reads the report published by Cado Security. “A directory is created in /Users/Shared/NW and the contents of the installation folder are dumped into text files for each store.”
The malware can steal various types of information from a broad array of sources. These include browser cookies, which can give attackers access to user sessions and stored passwords, and numerous cryptocurrency wallets such as Coinbase, MetaMask, Wasabi, Binance, Daedalus, Electrum, Atomic, Harmony, Enjin, Hoo, Dapper, Coinomi, Trust, Blockchain, and XDeFI wallets highlighting the malware’s focus on exploiting financial data.
Furthermore, the malware targets specific applications and services, stealing data from Telegram’s Tdata account information, Minecraft user accounts, and even game-related files from Battlenet, indicating its potential to disrupt both personal and gaming activities. The malware can also dump Keychain and SafeStorage passwords.
Cthulhu Stealer shares similar functionality and features with the Atomic Stealer infostealer, leading experts to speculate that it was likely created by the same developer. Both stealers use the macOS command-line tool osascript to prompt users for passwords, even including the same spelling mistakes in their prompts.
The developers and affiliates of Cthulhu Stealer, operating as the Cthulhu Team, communicate via Telegram and rent out their malware for $500 per month.
Affiliates are responsible for deploying the malware and receive a percentage of earnings from the main developer. Cthulhu Stealer has been sold on two well-known malware marketplaces and advertised on Telegram. However, in 2024, affiliates began complaining about not receiving payments, accusing the developer, known as “Cthulhu” or “Balaclavv,” of being a scammer. This led to a permanent ban of the developer from the marketplace.
“In conclusion, while macOS has long been considered a secure system, the existence of malware targeting Mac users remains an increasing security concern. Although Cthulhu Team is seemingly no longer active, this serves as a reminder that Apple users are not immune to cyber threats. It’s crucial to remain vigilant and exercise caution, particularly when installing software from unofficial sources.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)