A new macOS data malware is currently circulating, which crooks are apparently selling on relevant forums as a so-called Malware-as-a-Service (MaaS) for a monthly fee. As the security company Kaido writes, the data malware was named “Cthulhu Stealer”. The malware is designed to steal important data from Macs.
Advertisement
Pretends it’s a popular app
The new piracy is circulating in the form of a variety of apps designed to entice users to click on it – including a supposed preview of GTA VI (which, funnily enough, is distributed with a false filename as “GTAIV_EarlyAccess_MACOS_Release.dmg”), an Adobe Creative Cloud pirate tool or a copy of the popular cleanup tool CleanMyMac. According to Cado Security, other file names circulating are generic names such as “Launch.dmg” or “Setup2024.dmg”.
The Cthulhu Stealer is said to have been circulating since 2023 in different variants and under different names and is regularly updated as MAS for “subscribers”. Prices are said to be around $500 per month, offered through various forums on the dark web. The malware is suitable for Apple Silicon and Intel Macs. It can access data from (iCloud) Keychain, browser passwords including surfing history, various crypto wallets, Telegram account data and more and send it to its operators. Cado Security has discovered a good two dozen data sources that the stealer can use when he infiltrates a Mac.
New Apple robot aims to solve “first world problems.”Installation with several steps
After all, the malware installation process is still quite cumbersome. Users are encouraged to start the app by right-clicking on “Open”, which in turn triggers a macOS warning dialog because the malware does not have an Apple signature. Opening unsigned apps should become more difficult with macOS 15. Finally, Cthulhu Stealer also prompts users to “update system settings”.
To do this, an administrator password must be entered. This dialog also looks normal. According to Coda Security, the malware is written in GoLang and also uses command line tools osscript to run the AppleScript code. You will also be asked for the MetaMask password if available. Conclusion: It seems that Cthulhu Stealer is aimed more at inexperienced users. Users should be careful not to run any software from suspicious sources.
(B.Sc.)
Apple is testing four M4 Macs in the autumn
