In a concerning development for macOS users and cryptocurrency holders, security researchers have identified a new malware-as-a-service (MaaS) threat named "Cthulu Stealer." According to a recent report by Cado Security, this malware specifically targets macOS systems, challenging the long-held belief that Apple's operating system is immune to such threats. While macOS has maintained a reputation for security, recent years have seen an increase in malware targeting Apple’s platform. Notable examples include Silver Sparrow, KeRanger, and Atomic Stealer. Cthulu Stealer is the latest addition to this growing list, indicating a shift in the cybersecurity landscape for macOS users.
How Cthulu Stealer Works
Cthulu Stealer is distributed as an Apple disk image (DMG) file, disguising itself as legitimate software such as CleanMyMac, Grand Theft Auto IV, or Adobe GenP. Written in GoLang and designed for both x86_64 and ARM architectures, the malware operates by:- Using
osascript
to prompt users for their system password and MetaMask credentials. - Creating a directory in
/Users/Shared/NW
to store stolen information. - Extracting credentials and cryptocurrency wallets from various sources, including browser cookies, game accounts, and multiple cryptocurrency wallets.