MacOS malware drains crypto wallets
A worrying trend has emerged for those using macOS and engaging in cryptocurrency transactions, as cybersecurity experts have uncovered a novel malware-as-a-service (MaaS) called "Cthulhu Stealer."
A recent investigation by Cado Security unveiled that this particular strain of malware is crafted to compromise macOS devices, dispelling the myth that Apple's ecosystem is void of such vulnerabilities.
Despite macOS's strong security reputation, there has been a noticeable increase in attacks aimed at Apple's system. Instances like Silver Sparrow, KeRanger, and Atomic Stealer highlight this growing trend. With the introduction of Cthulhu Stealer to the scene, it's clear that the security paradigm for macOS users is evolving.
Cthulhu Stealer cleverly masquerades as an innocuous Apple disk image (DMG) file, camouflaging itself as well-known applications including CleanMyMac, Grand Theft Auto IV, or Adobe GenP as stated in the Cado analysis. Crafted in GoLang, it is adaptable for both x86_64 and ARM architectures, reflecting a pattern similar to another cryptocurrency-targeting malware discovered among Call of Duty enthusiasts.
The malevolent code becomes active upon launch, employing osascript to trick users into entering their system and MetaMask details. It then archives the pilfered data within a directory located at '/Users/Shared/NW'. Its primary objective includes hijacking credentials and digital wallets from a swath of sources, spanning browser cookies, gaming profiles, to several crypto wallets.
Its operational methods and objectives liken Cthulhu Stealer to Atomic Stealer, another malware aiming at macOS platforms identified in 2023. Both employ Go for their creation and prey on crypto wallets, browser logins, and keychain info. This parallel in operation hints that Cthulhu Stealer might be an evolved variant of Atomic Stealer.
