New macOS Malware CthulhuStealer Discovered, Targets Multiple Platforms
TapTechNews August 23rd news, although MacOS is known for its security, in recent years, there have been various types of malware targeting this operating system, such as SilverSparrow, KeRanger and AtomicStealer, etc.
CadoSecurity cyber security researchers have now disclosed a new macOS malware named CthulhuStealer, which can target both x86_64 and Arm architectures of macOS models.
This software is written based on GoLang and it will disguise itself as legitimate software, such as the junk cleaning tool CleanMyMac or Grand Theft Auto IV, and some will also disguise as AdobeGenP (Adobe cracking tool).
After the user installs the dmg, it will prompt the user to open. When the user opens this file, it will prompt the user to enter the password with the macOS command-line tool osascript.
After the user enters the password, it will immediately ask the user to enter the MetaMask password. In addition, CthulhuStealer will also use an open-source tool named Chainbreaker to collect system information and dump iCloudKeychain passwords.
Compared to these passwords, the main purpose of CthulhuStealer is still to steal login credentials from various stores, including sensitive information such as cryptocurrency wallets and game accounts.
It will create a directory in /Users/Shared/NW and store its credentials in a text file; the zip compressed file containing the stolen data is located in: /Users/Shared/NW/[CountryCode]Cthulhu_Mac_OS_[date]_[time].zip.
In addition, it will also send a notification to C2 to remind it of new logs. This malicious software will search and collect information on the victim's system, such as IP address (detailed information will be obtained from ipinfo.io), system information (including system name, operating system version, hardware and software information), etc.
As far as TapTechNews knows, the currently confirmed information that CthulhuStealer will collect includes:
Browser cookies
Coinbase wallet
Chrome extension wallet
Telegram Tdata account information
Minecraft user information
Wasabi wallet
MetaMask wallet
Keychain passwords
SafeStorage passwords
Battle.net platform game, cache and log data
Firefox's cookies
Daedalus wallet
Electrum wallet
Atomic wallet
Binanace wallet
Harmony wallet
Electrum wallet
Enjin wallet
Hoo wallet
Dapper wallet
Coinomi wallet
Trust wallet
Blockchain wallet
XDeFI wallet
For such software, Apple announced earlier this month that it will provide an update for macOS to block when users try to open unsigned or uncertified software.
Apple said: In macOS Sequoia, users will not be able to override Gatekeeper when opening software that is not properly signed or notarized. They need to access System Settings>Privacy and Security to view the se curity information of the software before allowing it to run.