Skip to content

New stealer malware targets Mac credentials and crypto wallets

  • by
  • 4 min read

A new malware strain dubbed Cthulhu Stealer poses a significant threat to macOS users, targeting their credentials and cryptocurrency wallets. Disguised as legitimate software, this malware is part of a growing trend of cyber threats against Apple’s operating system, challenging the long-held belief that macOS is immune to such attacks.

Cthulhu Stealer was developed as malware-as-a-service (MaaS) and linked to a shadowy group operating through Telegram. It exploits users’ trust to steal sensitive information and wreak havoc on their systems.

The malware targets the following cryptocurrency wallets:

  • Coinbase
  • Wasabi
  • MetaMask
  • Daedalus
  • Atomic Wallet
  • Binance
  • Harmony Wallet
  • Electrum Wallet
  • Enjin Wallet
  • Hoo Wallet
  • Dapper Wallet
  • Coinomi Wallet
  • Trust Wallet
  • Blockchain Wallet
  • XDeFi Wallet

Furthermore, the malware can steal from browser cookies, Chrome extension wallets, Keychain passwords, SafeStorage passwords, Battlenet game cache and log data, and Firefox cookies.

Researchers observed that the malware is written in GoLang and masquerades as legitimate software through an Apple disk image (DMG). It is designed to exploit the trust macOS users place in familiar software by disguising itself under the guise of popular applications like CleanMyMac, Adobe GenP, and even Grand Theft Auto IV, which appears to be a typo for VI.

Upon mounting the DMG, the victim is prompted to open the software, initiating the malware’s malicious process. The macOS command-line tool osascript is then employed to prompt the user for their system password, followed by a request for their MetaMask password.

Password prompt for MetaMask. | Source: Cado Security

Once obtained, these credentials are stored in a directory on the user’s system, alongwith other sensitive data extracted from the macOS Keychain using Chainbreak.

“Once the user enters their password, a second prompt requests their MetaMask password. A directory is created in ‘/Users/Shared/NW’ with the credentials stored in textfiles. Chainbreak is used to dump Keychain passwords and stores the details in Keychain.txt,” explained researchers.

Cthulhu Stealer’s capabilities don’t end there. The malware gathers and fingerprints system information, including IP addresses, system name, OS version, and hardware and software details. All these details are then compressed into a zip archive and sent back to the malware’s command and control (C2) server, alerting the operators to new logs.

Upon analysing further, researchers discovered that Cthulhu Stealer operates by targeting victims’ credentials and cryptocurrency wallets by specifically targeting file stores located in the Library/ApplicatonSupport/[file store] directory, dumping their contents into text files for later extraction.

The checker function in the main function. | Source: Cado Security

The parallel between Cthulhu Stealer and another infamous malware, Atomic Stealer, is striking. Both are written in Go and utilise osascript to trick users into surrendering their passwords, even sharing the same spelling mistakes — strongly suggesting that Cthulhu Stealer may be a derivative of Atomic Stealer.

Researchers found that the individuals behind Cthulhu Stealer operate primarily through Telegram, renting out the malware to affiliates for $500 a month. These affiliates are responsible for deploying malware, with the developer taking a cut of their earnings. They also found Cthulhu Stealer on two well-known malware marketplaces, which serve as a communication, arbitration, and advertising hub.

Researchers have urged MacOS users to adhere to best cybersecurity practices, including downloading only from trusted sources and regularly updating their operating systems. Furthermore, using a reputed antivirus can also help protect MacBooks.

With the growing threat to macOS, Apple tightened Gatekeeper protection macOS Sequoia.

In July 2024, Daggerflow, a China-based APT, introduced a backdoor for macOS named Macma. A few months back, in April, LightSpy spyware expanded its capabilities to macOS after targeting Indian iOS users.

Last year, the Realst malware targeted macOS 14 Sonoma.

“While macOS has long been considered a secure system, the existence of malware targeting Mac users remains an increasing security concern. Although the Cthulhu Team is seemingly no longer active, this serves as a reminder that Apple users are not immune to cyber threats. It’s crucial to remain vigilant and exercise caution, particularly when installing software from unofficial sources,” researchers concluded.

In the News: YouTube launches AI assistant to help recover hacked accounts

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>