A newly identified malware-as-a-service known as Cthulhu Stealer targets macOS users, first luring them in by imitating legitimate software and then stealing up to two dozen different types of data.
Cthulhu Stealer is believed to be based on another macOS MaaS called Atomic Stealer, but charges affiliates half the price — $500 per month versus the $1,000 a month cybercriminals shill out for Atomic Stealer. Details about the stealer, which first emerged in late 2023, were revealed in a blog post by Cado Security on Thursday.
“The groups behind Cthulhu and Atomic are distinct, but there are notable similarities between the stealers. Atomic Stealer comes with a control panel for purchasers, whereas Cthulhu doesn’t seem to,” Tara Gould, threat research lead at Cado Security told SC Media. “While there are minor differences in the targeted file storage locations, recent versions of Atomic Stealer include encryption routines for obfuscation, with other versions containing payloads encoded in Base64.”
One notable similarity between Cthulhu and Atomic is the use of the macOS command-line tool osascript to prompt the user for their password to access items stored in Keychain; spelling mistakes in the code also appear to carried over from Atomic to Cthulhu.
However, unlike Cthulhu, Atomic Stealer “appears to be actively maintained with regular updates and new variants frequently released,” Gould noted, whereas the operator of Cthulhu, also known as Balaclavv, was permanently banned from the cybercrime marketplace Cthulhu Stealer was originally advertised on due to allegedly scamming its own affiliates out of thousands of dollars.
Posts on the cybercrime site in March 2024 accused Cthulhu of failing to pay affiliates their cut of money stolen from victims through deployment of the MaaS, with one affiliate claiming the operator owed them $4,500.
“The surprising part of Cthulhu Stealer is the amount of money that the group managed to steal through deploying the stealer. In the grand scheme of malware, it isn’t a large amount of money, but it shows that users were still able to become infected,” Gould noted. “Mac’s inbuilt security tools, such as GateKeeper, should ensure binaries are signed to run, however this could be due to the macOS version that the user has.”
Infostealer impersonates GTA VI, snatches passwords, wallets and gamer data
Cthulhu Stealer initiates infection by impersonating legitimate software, including CleanMyMac, Adobe GenP and much-anticipated Grand Theft Auto VI video game, which has yet to be released.
The malware itself is an Apple disk image (DMG) written in GoLang that prompts the user to open the imitation software and then leverages osascript to prompt them for their password, stating this is necessary to update their system and launch the software. Gould notes this password entry is necessary for Keychain access but not for the stealers’ other activities. A second prompt for the user’s MetaMask password similarly aims to gain access to this specific wallet.
The infostealer utilizes the open-source forensic tool Chainbreaker to extract Keychain contents, retrieves IP details using ipinfo.io and “fingerprints” the victim’s system information, storing the stolen data in a directory it creates at the file path /Users/Shared/NW. The malware also checks multiple file stores for credentials and cryptocurrency wallets, including from gaming accounts like Minecraft and Battlenet.
Overall, the stealer targets 24 different data sources, most of which are cryptocurrency wallets.
Cado Security recommends macOS users enable the system’s built-in security features, such as Gatekeeper, keep up-to-date with security patches from Apple and other applications, utilize antivirus software for added protection, and only download software from trusted sources.
