Bitcoin-mac-computer-macos-malware-gID_7.png@png” />
In summary
- Security researchers have identified a new malware-as-a-service (MaaS) called “Cthulhu Stealer” that specifically targets macOS systems.
- Cthulhu Stealer is distributed as an Apple disk image (DMG) file, disguising itself as legitimate software such as CleanMyMac or Grand Theft Auto IV.
- The malware, written in GoLang, is designed for x86_64 and ARM architectures, and steals credentials and Cryptocurrency wallets from various sources, including browser cookies and gaming accounts.
In a worrying development for macOS users and cryptocurrency holders, security researchers have identified a new malware-as-a-service (MaaS) called “Cthulhu Stealer.”
According to a recent report from Cado Security, this malware specifically targets macOS systems, challenging the long-held belief that Apple’s operating system is immune to such threats.
While macOS has maintained a reputation for strong security, recent years have seen a rise in malware targeting Apple’s platform. Notable examples include Silver Sparrow, KeRanger, and Atomic Stealer. Cthulhu Stealer is the latest addition to this growing list, signaling a shift in the cybersecurity landscape for macOS users.
Cthulhu Stealer is distributed as an Apple disk image (DMG) file, disguising itself as legitimate software such as CleanMyMac, Grand Theft Auto IV, or Adobe GenP, according to Cado’s report. The malware, written in GoLang, is designed for the x86_64 and ARM architectures. This threat comes after recent reports of other cryptocurrency-stealing malware targeting Call of Duty players.
Upon execution, the malware uses osascript to prompt users for their system password and MetaMask credentials. It then creates a directory at ‘/Users/Shared/NW’ to store the stolen information. The malware’s main function is to extract credentials and cryptocurrency wallets from various sources, including browser cookies, game accounts, and multiple cryptocurrency wallets.
Cthulhu Stealer shares similarities with Atomic Stealer, another macOS-targeting malware identified in 2023. Both are written in Go and focus on stealing cryptocurrency wallets, browser credentials, and keychain data. The similarity in functionality suggests that Cthulhu Stealer could be a modified version of Atomic Stealer.
The malware is operated by a group known as “Team Cthulhu,” which uses Telegram for communication. They offer the stealer for rent for $500 a month as part of a malware-as-a-service model, with affiliates responsible for deployment and receiving a percentage of the profits.
Malware-as-a-service is a business model in the cybercrime world where malicious software and related services are sold or rented to customers, typically to other criminals. This allows individuals or groups without advanced technical skills to carry out cyberattacks using pre-configured malware tools. MaaS providers often offer customer support, updates, and customization options, similar to legitimate software services.
However, recent developments suggest problems within the operation.
Affiliates have filed complaints against the lead developer, known as “Cthulhu” or “Balaclavv,” accusing them of withholding payments, according to Cado’s report. Researchers noted that this has led to the developer being banned from at least one malware marketplace.
Edited by Stacy Elliott.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Crypto Keynote USA
For the Latest Crypto News, Follow ©KeynoteUSA on Twitter Or Google News.