Apple’s Macs are less targeted by malware than Windows PCs, but that doesn’t mean they are immune. Increasingly, insidious types of Mac malware are being developed that have researchers concerned enough to issue public warnings, and that’s the case again today.
As reported by Hacker News, Cado Security has identified a malware-as-a-service (MaaS) targeting macOS users named “Cthulhu Stealer.” First spotted in late 2023, the malicious software is designed to steal sensitive information from infected Macs, such as saved passwords from iCloud Keychain, information from web browsers, and even details from Telegram accounts.
What’s particularly concerning is that it’s being sold as a service on the dark web for $500 per month, potentially allowing multiple bad actors to use it against unsuspecting Mac owners.
Cato Security researcher Tara Gould reports that Cthulhu Stealer disguises itself as popular software to trick users into installing it. It might appear as CleanMyMac, Grand Theft Auto IV, or even Adobe GenP (a tool some users employ to bypass Adobe’s subscription model). The malware comes packaged as a disk image (DMG) file.
If a user tries to open the fake app, macOS’s built-in security feature, Gatekeeper, warns that the software is unsigned. But if a user chooses to bypass this warning, the malware immediately asks for the user’s system password, mimicking a legitimate system prompt. This technique isn’t new – other Mac malware like Atomic Stealer and MacStealer use similar tricks.
Once it has the necessary permissions, Cthulhu Stealer can access and steal a wide range of sensitive data. For crypto users, it specifically targets MetaMask digital wallet information. All of this stolen data is then sent to the attackers’ servers.
Notably, reports suggest that whoever designed Cthulu Stealer is no longer active, apparently following disputes over payments and accusations of scamming their own customers, i.e. other cybercriminals who were using the malware.
While Cthulhu Stealer isn’t the most sophisticated malware out there, it’s still a significant threat to Mac users who might be tricked into installing it. General security pointers include only downloading software from trusted sources like the App Store or official developer websites, being wary of any app asking for your system password during installation, and keeping your Mac updated with the latest security patches from Apple.
In macOS Sequoia, expected to be released in mid-September, Apple plans to remove the ability to easily override Gatekeeper warnings by Control-clicking. Instead, users will need to go through System Settings to allow unsigned software to run, adding an extra step that might make users think twice before running potentially dangerous apps.
