Malware as a service: Cthulhu Stealer steals macOS keychain and more
Pretending to be "GTA VI" – and then tapping into data: criminals are selling a new Mac malware to other crooks. Fortunately, it's easy to stop.
No, this is not "GTA VI": Cthulhu Stealer on a Mac.
(Image: Cado Security)
A new macOS data malware is currently circulating, which crooks are apparently distributing as so-called Malware-as-a-Service (MaaS) for a monthly fee in relevant forums. As the security company Cado writes, the data malware has been given the name "Cthulhu Stealer". The malware is designed to steal important data from the Mac.
Pretends to be a popular app
The new stealer is circulating in the form of various apps designed to entice users to click –, including an alleged preview of GTA VI (which, funnily enough, is being distributed with the wrong file name as "GTAIV_EarlyAccess_MACOS_Release.dmg"), an Adobe Creative Cloud piracy tool or a copy of the popular CleanMyMac clean-up tool. According to Cado Security, other circulating file names are generic names such as "Launch.dmg" or "Setup2024.dmg".
The Cthulhu Stealer is said to have been circulating in different variants and with different names since 2023 and is regularly updated as MaaS for "customers". Prices are said to be around 500 US dollars per month, offered through various forums on the dark web. The malware is suitable for Apple Silicon and Intel Macs. It can access data from the (iCloud) keychain, browser passwords including browsing history, various crypto wallets, Telegram account data and more and send it to its operators. Cado Security has discovered a good two dozen data sources that the stealer can use if it has infiltrated the Mac.
Installation with many steps
Nevertheless, the installation process of the malware is still quite bumpy. Users are prompted to start the app by right-clicking on "Open", which in turn triggers a macOS warning dialog because the malware does not have an Apple signature. With macOS 15, it should become more difficult to open unsigned apps. Finally, the Cthulhu Stealer also prompts users to "update the system settings".
This requires an admin password to be entered. This dialog also looks rather generic. According to Coda Security, the malware is written in GoLang and also uses the command line tool osascript to execute AppleScript code. Furthermore, – requests a MetaMask password if available –. Conclusion: Cthulhu Stealer appears to be aimed more at inexperienced users. Users should be careful not to run software from dubious sources.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
