Apple Mac users are currently facing a new cybersecurity threat from a malware strain known as “Cthulhu Stealer.” This malicious software has the capability to steal personal information, including credentials and data from various cryptocurrency wallets, posing a significant risk to users who may believe their systems are immune to such threats.
The Myth of macOS Immunity
“For years, there has been a general belief in the Zeitgeist that macOS systems are immune to malware,” stated cybersecurity firm Cado Security on August 22. While macOS has traditionally been perceived as a secure operating system, there has been a notable increase in malware targeting these systems in recent years. This growing trend challenges the long-held belief that Mac users are safer than their Windows counterparts.
How Cthulhu Stealer Operates
Cthulhu Stealer typically presents itself as an Apple disk image (DMG) file, masquerading as legitimate software applications such as CleanMyMac and Adobe GenP. Upon opening the file, users are prompted by the macOS command-line tool to enter their password, believing they are installing a legitimate application. After entering the password, a second prompt appears, requesting the password for popular cryptocurrency wallets, such as MetaMask.
Targeted Cryptocurrency Wallets Include:
- MetaMask
- Coinbase Wallet
- Wasabi Wallet
- Electrum Wallet
- Atomic Wallet
- Binance Wallet
- Blockchain Wallet
Once access is granted, Cthulhu Stealer stores the stolen information in text files and further fingerprints the victim’s system to gather data like IP addresses and operating system versions. This data collection process not only compromises personal security but also provides cybercriminals with valuable information to carry out more targeted attacks.
“The main functionality of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various stores, including game accounts,” explained Tara Gould, a researcher at Cado Security. The malware’s focus on stealing sensitive data aligns with other known malware targeting Apple systems.
Interestingly, Cthulhu Stealer bears a strong resemblance to a previous malware strain named Atomic Stealer, which surfaced in 2023, also targeting Apple computers. Gould suggests that the developer of Cthulhu Stealer may have modified the Atomic Stealer’s code, indicating a potential evolution of existing threats rather than a completely new development.
Cthulhu Stealer was reportedly being rented out to affiliates for a monthly fee of $500 via the Telegram messaging platform. The main developer profited from successful malware deployments by sharing the earnings with affiliates. However, recent reports indicate that the scammers behind Cthulhu Stealer are no longer active. Disputes over payments have led to accusations of an exit scam, where affiliates allege they were left unpaid for successful attacks.
The emergence of Cthulhu Stealer is not an isolated incident. Cointelegraph reported on August 23 that another piece of malware, AMOS, has also been targeting Mac users, with the ability to clone the Ledger Live software, which is commonly used for managing cryptocurrency wallets. These developments highlight an expanding threat landscape where Mac users are increasingly being targeted by sophisticated malware designed to steal valuable digital assets.
Apple’s Response to Rising Malware Threats
In light of the growing malware threats, Apple has acknowledged the need to enhance its security measures. On August 6, Apple announced updates to its next-generation macOS that would make it more challenging for users to override Gatekeeper protections. Gatekeeper is a security feature that ensures only trusted and verified applications are allowed to run on macOS systems. These updates are part of Apple’s ongoing effort to bolster its defenses against emerging threats.
In addition to the Cthulhu Stealer threat, Telegram recently downplayed the severity of an exploit discovered in May that allowed researchers to access macOS camera systems. Telegram attributed the issue more to Apple’s permission security protocols rather than a vulnerability within the messaging platform itself. This incident underscores the importance of robust security practices across all software and platforms used on macOS.
| Aspect | Details |
|---|---|
| Name of Malware | Cthulhu Stealer |
| Target | Mac users, focusing on stealing personal info and cryptocurrency wallet data |
| Disguised As | Legitimate software (e.g., CleanMyMac, Adobe GenP) |
| Primary Functionality | Steals credentials, crypto wallets, and other sensitive information |
| Similar to | Atomic Stealer (2023) |
| Distribution | Rented via Telegram for $500 per month, profit-sharing with affiliates |
| Targeted Wallets | MetaMask, Coinbase, Wasabi, Electrum, Atomic, Binance, Blockchain Wallet |
| Apple’s Response | Enhanced Gatekeeper protections announced in August 2024 |
The rise of malware like Cthulhu Stealer and AMOS signals a shift in the cyber threat landscape, where Mac users are no longer overlooked by cybercriminals. This shift necessitates heightened awareness and proactive measures from both users and developers. While Apple continues to strengthen its security features, users must also remain vigilant, ensuring that they only download software from trusted sources, keep their systems updated, and use robust security solutions.
The belief that macOS systems are immune to malware has been steadily eroded by the increasing number of threats specifically targeting Apple devices. The Cthulhu Stealer is a stark reminder of the evolving nature of cyber threats and the importance of maintaining strong security practices. By staying informed and cautious, Mac users can better protect themselves against these sophisticated attacks that seek to compromise their personal information and digital assets.
