Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

A new macOS data stealer is going after Apple users

An abstract image of a lock against a digital background, denoting cybersecurity.

Cybersecurity experts from Cado Security have uncovered a new information-stealing malware, targeting Apple macOS endpoints.

The malware is called Cthulhu Stealer, and is capable of stealing all sorts of data - system information, iCloud Keychain passwords (using an open-source tool called Chainbreaker), other login credentials, web browser cookies, and Telegram account information.

Furthermore, it prompts victims to enter their system password, as well as login details for the popular MetaMask cryptocurrency wallet.

A copy of Atomic Stealer

"The main functionality of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various stores, including game accounts," Cado Security’s researchers said in their report.

"The functionality and features of Cthulhu Stealer are very similar to Atomic Stealer, indicating the developer of Cthulhu Stealer probably took Atomic Stealer and modified the code. The use of osascript to prompt the user for their password is similar in Atomic Stealer and Cthulhu, even including the same spelling mistakes."

Victims are usually tricked into downloading the malware, the researchers added, as it is advertised as legitimate software and games, posing as the likes of CleanMyMac, Grand Theft Auto IV, and Adobe GenP (an open source tool that allows Adobe users to work around Creative Cloud services and activate the software without a serial key).

For the malware to work, the victims need to give explicit consent (since the infostealer needs to make it past Gatekeeper protections). However, since they expect legitimate software, most victims probably grant this consent.

Once Cthulhu, which apparently costs $500 a month to run and works on both x86_64, and Arm architecture, grabs all the interesting information, it compresses it into a .ZIP archive and then exfiltrates, by unknown means, to a command-and-control (C2) server.

The good news is that the malware isn’t particularly advanced, and will probably picked up by most of the best antivirus products available today.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.