Skip to main content

New macOS malware impersonates popular apps then steals your data

Security researchers have discovered new macOS malware that’s built to steal your most sensitive data. Dubbed ‘Cthulhu Stealer,’ the malware targets users by impersonating popular apps so it can harvest your system password, iCloud Keychain passwords, cryptocurrency wallets, and more.

Cthulhu Stealer malware threat

Cthulhu Stealer has reportedly been available since late 2023 as a $500/month paid service for bad actors. It can be especially effective because of how well it disguises itself as legitimate software.

Ravie Lakshmanan writes for The Hacker News:

Some of the software programs it impersonates include CleanMyMac, Grand Theft Auto IV, and Adobe GenP, the last of which is an open-source tool that patches Adobe apps to bypass the Creative Cloud service and activates them without a serial key.

Users who end up launching the unsigned file after explicitly allowing it to be run – i.e., bypassing Gatekeeper protections – are prompted to enter their system password…In the next step, a second prompt is presented to enter their MetaMask password. Cthulhu Stealer is also designed to harvest system information and dump iCloud Keychain passwords using an open-source tool called Chainbreaker.

The stolen data, which also comprises web browser cookies and Telegram account information, is compressed and stored in a ZIP archive file, after which it’s exfiltrated to a command-and-control (C2) server.

According to Lakshmanan, the threat actors behind Cthulhu Stealer are no longer active. However, the software can still do just as much damage in other malicious users’ hands.

Mac users generally don’t receive as many invasive efforts from the hacker community as Windows and Linux systems. Cthulhu Stealer, however, seems built to take advantage of the sense of security macOS can sometimes provide.

It’s not uncommon for lots of Mac users to routinely bypass Gatekeeper’s protections. Apple is trying to change that in macOS Sequoia. But the fact remains that posing as known apps can be an effective way for malware to infiltrate Mac systems and harvest users’ data.

One way to keep yourself safe from such threats is to prioritize downloading apps from the Mac App Store, and known third-party platforms. Popular developers’ official websites are another generally safe place to get your software.

9to5Mac’s Take

Cthulhu Stealer, and other software threats like it, can do far less damage when users take macOS’s security features seriously. So the next time you’re tempted to bypass Gatekeeper and open a new app downloaded from the web, be sure you know where it’s sourced from.

For more information on Cthulhu Stealer, I recommend reading the full Hacker News article.

Have you encountered Cthulhu Stealer or other malware like it? What are your security best practices? Let us know in the comments.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ryan Christoffel Ryan Christoffel

Ryan got his start in journalism as an Editor at MacStories, where he worked for four years covering Apple news, writing app reviews, and more. For two years he co-hosted the Adapt podcast on Relay FM, which focused entirely on the iPad. As a result, it should come as no surprise that his favorite Apple device is the iPad Pro.

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications