ClickCease Cthulhu Stealer: New macOS Malware Targets Apple Users’ Data - TuxCare

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Cthulhu Stealer: New macOS Malware Targets Apple Users’ Data

by Wajahat Raja

September 4, 2024 - TuxCare expert team

As per recent reports, a new macOS malware, dubbed the Cthulhu stealer, has been discovered by cybersecurity researchers. The information stealer is designed to target macOS hosts and is capable of harvesting a wide range of information. In this article, we’ll dive into the details of the Cthulhu stealer and uncover protective measures implemented against such attacks. Let’s begin!

Cthulhu Stealer: Malware-as-a-Service (MaaS) Details

As per the information available, the Cthulhu stealer malware has been available as a MaaS model since late 2023. Reports claim that it can be acquired for a monthly fee of $500 and is capable of targeting both x86_64 and Arm architectures. Tara Gould, Cado Security researcher, providing further insights, has stated that:

“Cthulhu Stealer is an Apple disk image (DMG) that is bundled with two binaries, depending on the architecture. The malware is written in Golang and disguises itself as legitimate software.”

The information stealer for macOS is also capable of impersonating different programs that include CleanMyMac, Grand Theft Auto IV, and Adobe GenP. It’s worth mentioning that the Adobe GenP is an open-source tool that patches Adobe apps to bypass the Creative Cloud service and can activate them without using a serial key.

macOS Malware Attack Technique

As for the attack technique, users that launch the file and allow it run are then asked to enter their system password. This technique, used by the Cthulhu stealer, is referred to as an osascript-based method. Apart from this information stealer for macOS, the technique has also prevailed in the Atomic Stealer, Cuckoo, MacStealer, and Banshee Stealer.

Once the user enters the password, a second prompt asking them for their MetaMask password is shown. The malware has been designed to acquire information system information and dump iCloud Keychain passwords as well. To do this, it uses an open-source tool called Chainbreaker.

After the data has been acquired, it’s compressed and stored in a ZIP archive file and is later exfiltrated to a command-and-control (C2) server. It’s worth noting that the data can include web browser cookies and Telegram account information as well. Providing further details pertaining to the Cthulhu stealer, Tara Gould has stated that:

“The functionality and features of Cthulhu Stealer are very similar to Atomic Stealer, indicating the developer of Cthulhu Stealer probably took Atomic Stealer and modified the code. The use of osascript to prompt the user for their password is similar in Atomic Stealer and Cthulhu, even including the same spelling mistakes.”

Threats behind the macOS information stealer are no longer believed to be active. In addition, Apple has also announced an update to its next version of the operating system in order to mitigate such threats.

Conclusion

The Cthulhu Stealer’s rise underscores the growing threat of sophisticated macOS malware targeting user data. To defend against such attacks, individuals should adopt robust security practices, including regular software updates, strong passwords, and awareness of phishing attempts, ensuring they stay one step ahead in the ever-evolving landscape of cyber threats.

The sources for this piece include articles in The Hacker News and Security Affairs.

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer

Mail

Help Us Understand
the Linux Landscape!

Complete our survey on the state of Open Source and you could win one of several prizes, with the top prize valued at $500!

Your expertise is needed to shape the future of Enterprise Linux!