Cthulhu Stealer Malware Targets macOS Users — And Its Affiliates Get Cheated
In an intriguing turn of events in the cybercrime sphere, a new malware-as-a-service (MaaS), dubbed Cthulhu Stealer, has surfaced with a focus on conning macOS users. This nefarious software masquerades as legitimate applications only to filch an extensive array of data from unsuspecting victims. What makes Cthulhu Stealer particularly noteworthy, aside from its deceitful nature, is its apparent betrayal of its own affiliates, scamming them out of substantial sums of money.
Cthulhu Stealer, traceable back to late 2023, seems to have drawn inspiration from another macOS MaaS known as Atomic Stealer. However, it presents a cheaper alternative for cybercriminals, pricing its services at $500 monthly — a notable discount from the $1,000 monthly rate of Atomic Stealer. Despite similar modus operandi between the two, differences emerge in the level of support and features offered to purchasers. For starters, Cthulhu lacks a control panel, a feature Atomic provides, and exhibits minor deviations in the locales of targeted file storage. Moreover, unlike Atomic, which boasts regular updates and new versions, Cthulhu’s development appears stagnant, possibly due to the operator’s banishment from a prominent cybercrime platform for defrauding affiliates.
One of the controversies surrounding Cthulhu involves accusations leveled on a cybercrime forum in March 2024, where affiliates claimed they were not compensated for their contributions, with sums reportedly reaching up to $4,500. Despite these setbacks, the malware managed to ensnare victims, showcasing both the persistence of cybercriminals and the vulnerability of users lacking up-to-date security defenses.
Cthulhu’s strategy for infection begins with impersonation. It disguises itself as reputable software — variations seen include CleanMyMac, Adobe GenP, and even promos for the yet-unreleased Grand Theft Auto VI game. Once the unwary user triggers the installation process, the malware leverages osascript for Keychain access, cunningly requesting the user’s password under the guise of necessary updates or software launch protocols.
The stealer’s toolkit is robust, employing the Chainbreaker forensic tool to pillage Keychain contents, using online services for IP detection, and collecting detailed victim system info. It then aggressively scavenges for data across a variety of locations, notably targeting cryptocurrency wallets among 24 different data types.
Amidst the grim reality of such threats, macOS users are not left defenseless. Recommended precautions include the activation of system-specific security measures like Gatekeeper, regular updates of security patches from Apple and installed applications, and reliance on antivirus solutions. Practicing caution regarding the origins of downloaded software further fortifies one’s digital safety.
The tale of Cthulhu Stealer serves as a stark reminder of the relentless innovation among cybercriminals. It underscores the necessity for vigilance among users and the importance of leveraging every available layer of protection to safeguard against such unscrupulous threats.
