A recent discovery by Cado Security challenges the belief that macOS systems are immune to malware. Cthulhu Stealer, a malware-as-a-service (MaaS), specifically targets macOS users by exploiting their trust in well-known applications.
This malware disguises itself as legitimate applications like CleanMyMac, Adobe GenP, or even a supposed early access to "Grand Theft Auto VI". Once the malicious application is installed, it prompts the user to enter their system and MetaMask passwords, which it then uses to extract information from the macOS Keychain.
After obtaining the credentials, Cthulhu Stealer utilises the osascript tool to retrieve stored passwords, including those related to crypto-wallets like MetaMask, Coinbase, and Binance. The stolen data, compiled into a zip archive identified by the user’s country code and the time of the attack, is then sent to a command and control (C2) server.
Cthulhu Stealer doesn’t stop at stealing crypto-wallet information. It also targets Chrome extensions, Minecraft user data, and passwords for various platforms such as Wasabi, Daedalus, and Electrum. Additionally, it collects system information like IP address, system name, and OS version, enabling attackers to adjust their strategies in real-time.
The cybercriminals behind this malware, known as "Cthulhu Team," rent out their service for $500 per month. On social media, they sometimes pose as employers offering jobs that require the quick download of software to track working hours, thus trapping victims.
These developers and affiliates manage their operations via Telegram, where they organise the sale and distribution of the malware. According to Cado Security, Cthulhu Stealer is also sold on two well-known malware marketplaces, where sellers and buyers can exchange, negotiate, and promote their services.
To protect themselves, macOS users should install reputable antivirus software specifically designed for macOS and be cautious of job offers that require urgent software downloads. Regular software updates also reduce the risk of malware infections.
A spokesperson from CertiK shared tips on strengthening security: “It is crucial to download software only from the official website or the macOS App Store. If the software isn’t downloaded from the App Store, you need to check the file's hash value to ensure it matches the one provided by the official website.”
