While Mac users often consider themselves safer from viruses compared to their Windows counterparts, recent findings of macOS malware suggest otherwise. Security researchers have recently identified a new form of malware targeting macOS, designed specifically to steal sensitive information, including credentials and cryptocurrency wallets.

This newly discovered macOS malware, named Cthulhu Stealer, was identified by Cado Security as a Malware-as-a-Service (MaaS) that infiltrates infected systems to extract a wide range of data. Among the stolen information are saved passwords, browser cookies, crypto wallet data, and even details from Telegram accounts.

Initially spotted in late 2023, Cthulhu Stealer was sold on the dark web for a relatively low fee of $500 per month, making it an accessible tool for cybercriminals looking to exploit vulnerable systems.

Cado Security noted that the macOS malware was found being sold on prominent dark web marketplaces known for facilitating the trade of malicious software. These platforms serve as hubs for communication, negotiation, and advertising, where Cthulhu Stealer was actively promoted.

^{How Cthulhu Stealer Infiltrates Systems}

The macOS malware sneaks into systems by pretending to be legitimate software. Some of the programs it impersonates include popular tools like CleanMyMac, Grand Theft Auto IV (likely meant to be VI), and Adobe GenP. However, when users attempt to install these fake programs, Apple’s Gatekeeper, a security feature designed to block malicious downloads, issues a warning. Ignoring this alert allows Cthulhu Stealer to ask for the user’s system password under the guise of a legitimate software installation. Once granted, the malware gains access to and steals sensitive data from the device.

According to Cado Security, the capabilities of Cthulhu Stealer are strikingly similar to those of Atomic Stealer, a previous macOS malware variant that was sold on Telegram for $1,000 per month. Atomic Stealer could also access keychain passwords, system information, and files on a Mac. This similarity suggests that Cthulhu Stealer might be a modified version of Atomic Stealer.

^{The Current State and Future Outlook}

Fortunately, Cthulhu Stealer’s operations appear to have slowed down. Cado Security indicates that the team behind the macOS malware, known as the Cthulhu Team, is no longer active, likely due to dissatisfaction among affiliates who paid for the service but did not receive the promised payments.

However, this situation serves as a stark reminder that Apple users are not immune to cyber threats. Cado Security emphasizes the importance of being vigilant and exercising caution when installing software, especially from unofficial sources. They advise users to download software only from trusted sources to minimize the risk of infection.

Looking ahead, the upcoming release of macOS Sequoia this fall aims to bolster security against such threats. The new operating system will require users to go into their System Settings to allow unsigned software to run, instead of simply granting permission through an on-screen prompt. This added layer of security could make it more challenging for macOS malware like Cthulhu Stealer to infiltrate systems in the future.

By staying informed and cautious, macOS users can protect their data and reduce the risk of falling victim to macOS malware like Cthulhu Stealer.