'Cthulhu Stealer' macOS Malware Can Steal Keychain Passwords, Web Browsing Info, Crypto Wallets, and More

[Populus]

Problem is, that too many users do not know anything about the "things" they are klicking at. I do some private support for Mac and Windows and see Computers filled with Browser Taskbars, that fill half their screen, users answering fake alerts about virus infections from their McAfee Scanner (not having installed that thing at all...)

I can corroborate this. Even after formatting their PC because “it runs very slow” and explaining them that they would be careful about where they click and what do they install, after a few weeks they were at the same point: several browser taskbars filling half of the browser window, search engine being inadvertently changed to Ask, lots of unknown process running during the bootup…

Eventually I stopped doing such support (I usually did it for free), and nowadays I feel bad for this type of users, but I learned that usually it is useless to teach them: they are going to click without reading or understanding what they are doing, and in most cases, it is because they just don’t care.

 

[bkendig]

Yes, unless the developer website gets hacked and bad actors replace with their file.

This has happened.

Several years ago I used to use the HandBrake app to rip my DVDs to video files. One day I launched Handbrake and it said there was an update, but the app's built-in updater was failing, so I went to the app's official web site and downloaded the latest version.

When I ran it, it asked for my password so it could install some additional codecs. This isn't unusual, so I entered my password.

Two days later I read the news that this version of HandBrake was compromised, uploaded by people who had gotten into the download site. Running it had sent my Mac account username and password, my Keychain vault, and my 1Password vault to some site out there. With my Mac credentials they could decrypt my Keychain, and if my 1Password password were stored in there (if I had used Touch ID to unlock 1Password on my MacBook Pro), they would have had my 1Password data too.

Be careful out there, kids.

 

[dannyyankou]

Don't bother, it won't be there. The macOS App Store is a wasteland.

One of the examples in the article, CleanMyMac, is there.

 

[axantas]

...they are going to click without reading or understanding what they are doing, and in most cases, it is because they just don’t care.

It is not about not caring (ok - some do not care) It is simply lack of knowledge. They DO care and they believe, what that new thing is telling them (lying). So: block everything is the best solution...

 

[avkills]

Thats not how I read the article.

As I understand it $500pm buys the ability to obtain passwords etc from multiple mac users, not obtain something else that costs $60pm for free.

Presumably the high price reflects the high fraudulent earning potential of the malware, or perhaps they are scamming the would-be scammers.

Either way it is a waste of time and money IMO. But people are easily scammed these days. We ought to start dropping 2000lb bombs on wherever they work out of, although this isn't realistic I know because they normally swamp up in hotels or other buildings that also have legitimate business going on.

 

[davide_eu]

Walled gardens exist FOR A REASON.

To squeeze user's money.

 

[davide_eu]

I chose the Mac and iOS specifically BECAUSE it is a walled garden. Just as people choose communities they want to live in. If Apple is forced into being a homogeny with Android or Windows then what's the point?

A walled garden is more risky. Without it, you grow paying attention, defining policies and enforce rules to get protected. With a walled garden, you BELIEVE to have a aecure environment so you lower your protection.. and a simple attack can destroy you.

 

[lotones]

But yet Apps and such get by Apple everyday, so much for the walled garden theory. I believed it at one time and after the EU ruling, Apples wall garden is gone now

But yet you ignore how much better Apple customers still have it than Android and Window's consumers. Is the so-called "walled garden" perfect. No. But the occasional malware warning is still a much better Windows and Android, where getting malware is at least a 1000% more likely. And a heck of a lot better than knowing every single Android phone released before the Pixel 9 has a built-in backdoor.

Besides, the success of the "walled garden" has always depended users not inviting the disguised big bad wolf in. It's just the disguises are getting more elaborate.

 

[axantas]

A walled garden is more risky. Without it, you grow paying attention, defining policies and enforce rules to get protected. With a walled garden, you BELIEVE to have a aecure environment so you lower your protection.. and a simple attack can destroy you.

Think about many (not all) users like children, and place your kindergarten in the middle of your cities drug scene without walls...

 

[Stiksi]

Just look at iOS, Apple is not consistent with their password dialogs. How would any person see that something is different. I have counted four variants in their login/password.

I’ve quit legitimate Apple processes a lot on iOS because they’ve had non-standard password prompts. Some of them were definitely sketchy looking but were verified when I googled them. It’s an area where I would like to see more of that toxic Apple nitpicking in the workplace. Only standard security prompts, please.

On the other hand, I also use Windows and UI consistency seems to be a running joke on its users. Scrape the surface just a little bit and hello Win95, man! 🩲

 

[Stiksi]

Don't bother, it won't be there. The macOS App Store is a wasteland.

Compared to the Microsoft Store, it’s a treasure trove of untold riches. There are loads of useful utilities, professional content creation apps and even some games. What more do you want?

Of course, you get better upgrade pricing when you buy direct from the dev, but there are even a lot of free useful apps on the mac app store.

It’s not what Apple wanted it to be but I much prefer it this way. Non-power users will find a solution on the app store and power users will find the solution elsewhere.

 

[DestructoTim]

Don’t current versions of MacOS require you to jump through a bunch of hoops to install unsigned apps, such as going through the terminal and modifying startup processes? Installing apps from websites and other app stores still require apps to be signed by Apple. So either this only has the “potential” to affect less than 1% of users, and of that 1%, how many will come across this? .0001%? So its basically a non threat, unless Apple accidentally signed it.

 

[bradman83]

This "malware" works because the user allows the process to access the data, running as the logged in user. The malware is started by the user, then asks for the users password. By typing it in, the user has given the process access to their password, which then can be used to access data where macOS requires a password.
This is why you don't type your password in shady-looking dialogues!

While I agree with the fact that the original poster's thoughts on sandboxing data and gimped admin accounts aren't workable, I think you missed the point of his initial statement/questions. macOS has an antivirus component built into it, XProtect. Apple's own support documentation states it's signature based, is updated as frequently as daily in the background, and kicks in when any of the following happens:

• An app is first launched
• An app has been changed (in the file system)
• XProtect signatures are updated

So based on Apple documentation, XProtect should be blocking malware from executing or installing before it can even ask for the user to enter the admin password. And if this malware has been out for a year now it's a valid question for why Apple hasn't added its signature to XProtect.

 

[Analog Kid]

They aren't security guards, they are toll-booth employees.. Taking a cut of the action to let you pass.

Tolls fund the highway you're about to enter...

 

[Analog Kid]

But then the EU comes in and cries about anti-competitive this and that... damned if you do, damned if you don't.

So what "reaction" button am I supposed to click when I agree with what you say, but I don't like that it's true?

 

[Analog Kid]

Would having Little Snitch installed stop this sort of malware? Little Snitch pops up a connection dialog telling you a process/app wants to connect to a server, and you get to allow or deny it. If I saw something like this and had idiotically typed in my password, Little Snitch would stop this thing from sending any of my data anyway, right?

I mean, I'm not saying I would be fooled by this terribly-worded dialog that's missing the username, but for those who do, Little Snitch might be a secondary wall.

It would require you to know that the network connection being initiated is one you want to block. Most applications are network aware now, so many connection attempts are legit.

Using Little Snitch is not fire and forget software, it needs users to be dedicated to maintaining it. They offer subscriptions to block lists now which helps a bit, but still isn't a panacea.

 

[boss.king]

This is for everyone who wants the "freedom of macOS on iOS/iPadOS". Do you want to need to run antimalware software on your Phone or Tablet?!!!

Why? I don’t run anti malware software on my Mac, why would I run it on my phone? If you feel you need it, that’s a you problem.

 

[Analog Kid]

Why? I don’t run anti malware software on my Mac, why would I run it on my phone? If you feel you need it, that’s a you problem.

If the argument that there isn't malware for Mac because Macs aren't popular holds any truth, then iPhone would be a massive target.

People need to stop acting like the Mac and iPhone are, or should be, somehow comparable.

 

[boss.king]

If the argument that there isn't malware for Mac because Macs aren't popular holds any truth, then iPhone would be a massive target.

That's a big if. For the record, I never used anti-malware software when I was on Windows either and I never had any issues. It's really not that hard to avoid these things if you're not doing the dumbest, sketchiest stuff imaginable.

People need to stop acting like the Mac and iPhone are, or should be, somehow comparable.

They're not the same, but you can definitely draw comparisons between them.

 

[jimbobb24]

Dont download and run software from shady sources. Got it.

 

[bollman]

While I agree with the fact that the original poster's thoughts on sandboxing data and gimped admin accounts aren't workable, I think you missed the point of his initial statement/questions. macOS has an antivirus component built into it, XProtect. Apple's own support documentation states it's signature based, is updated as frequently as daily in the background, and kicks in when any of the following happens:

• An app is first launched
• An app has been changed (in the file system)
• XProtect signatures are updated

So based on Apple documentation, XProtect should be blocking malware from executing or installing before it can even ask for the user to enter the admin password. And if this malware has been out for a year now it's a valid question for why Apple hasn't added its signature to XProtect.

Valid question, but the info somewhat thin. Could it be that it hasn't been spread that much to be picked up yet? Could it be how its compiled for every bad actor? Not sure...

 

[uacd]

Thats the exact reason I stopped cracking Mac apps. One day when I tried to install cracked Sylenth1 plugin it locked my Mac and started showing me some ads on the homescreen🤣

It was no big deal to wipe HDD but since then I am fully legit. And I still have Lightroom cravings and will probably subscribe anyway

 

[jasonsmith_88]

Non-power users will find a solution on the app store and power users will find the solution elsewhere.

Well that’s what’s being debated in this thread. Many people on this forum want MacOS to be like iOS - literally impossible to run software that hasn’t been signed and reviewed by Apple. Before the DMA, I have no doubt Apple was considering releasing a MacOS like this. Now I’m not so sure, because most countries will end up with DMA-like laws which grant citizens a fundamental right to use software of their choosing (or the fundamental right for developers to freely distribute software, depending on how you look at it)

 

[ProbablyDylan]

In situations like these, something like Windows S Mode has merit. It prevents installation of unvetted applications but doesn't change Windows fundamentally beyond that. Most importantly, it can also be turned off if the user wanted to.

 

[Apple_Robert]

While I agree with the fact that the original poster's thoughts on sandboxing data and gimped admin accounts aren't workable, I think you missed the point of his initial statement/questions. macOS has an antivirus component built into it, XProtect. Apple's own support documentation states it's signature based, is updated as frequently as daily in the background, and kicks in when any of the following happens:

• An app is first launched
• An app has been changed (in the file system)
• XProtect signatures are updated

So based on Apple documentation, XProtect should be blocking malware from executing or installing before it can even ask for the user to enter the admin password. And if this malware has been out for a year now it's a valid question for why Apple hasn't added its signature to XProtect.

I have found that a lot of times X-Protect doesn’t update automatically like it is supposed to. And if a user doesn’t know to check for such an update, that could be trouble.