'Cthulhu Stealer' macOS Malware Can Steal Keychain Passwords, Web Browsing Info, Crypto Wallets, and More

[SanderEvers]

I mean, if we’re talking stuff that’s built into the OS then I guess I’m also running anti-malware stuff on my iPhone. I just figured we talking about things the user has to choose to install and run.

No, I'm talking about stuff that actively checks wheter a thing that is run is safe to be run. For example Windows Defender and Gatekeeper on mac. iOS does not have this mechanism, since software is checked before it even can be installed on your device. (by Apple). These programs actively scan the software, and then either allow or block them from running. Which means that they take a lot of resources for scanning. (around 30-40%) - a bit less on mac because gatekeeper isn't the best at scanning. (nor does it need to be)

 

[cicalinarrot]

Walled gardens exist FOR A REASON.

Apple just admited they only cared about money, as they allowed anybody to have a store but still want to be paid. There's your reason.
Anyway, I used Macs as daily drivers for 24 years now, I had one as a nerdy teenager so I downloaded all sort of... well... things. Never had a single issue.

I've also repaired Macs for three years, never encountered a single virus, intrusive apps (as clean my mac) at worst. Or people deleting their folders because Apple forced iCloud on them and removed their files when they tried to deactivate it. No joke, I saw this a dozen times.

You know what managed to fool my family and take our money? My sister and mother accidentally buying or staying subscribed to predatory in-app subscriprions on iOS that were designed to be forgotten.

I'd never trade your "safety" I never needed for real freeware (it basically can't exist on iOS), DRM-free apps, browsers with extensions and all the other features we had to wait for Apple to kindly allow on our >$1000 phones because they killed independent third party development.

 

[Chungry]

Apple just admited they only cared about money, as they allowed anybody to have a store but still want to be paid. There's your reason.
Anyway, I used Macs as daily drivers for 24 years now, I had one as a nerdy teenager so I downloaded all sort of... well... things. Never had a single issue.

I've also repaired Macs for three years, never encountered a single virus, intrusive apps (as clean my mac) at worst. Or people deleting their folders because Apple forced iCloud on them and removed their files when they tried to deactivate it. No joke, I saw this a dozen times.

You know what managed to fool my family and take our money? My sister and mother accidentally buying or staying subscribed to predatory in-app subscriprions on iOS that were designed to be forgotten.

I'd never trade your "safety" I never needed for real freeware (it basically can't exist on iOS), DRM-free apps, browsers with extensions and all the other features we had to wait for Apple to kindly allow on our >$1000 phones because they killed independent third party development.

Let’s face it the walled garden is a hope and a dream. Apple allows predatory apps to remain up for years. Folks screaming about security have to choke down the cognitive dissonance of Apple being in it for money primarily, and security as a distant second and only when it aligns with their fiduciary obligations.

 

[Baseiseough]

This is why I always buy all my apps on the Mac App Store and never forget to wear gloves when I log using touch ID.

 

[RecentlyConverted]

So if you don't pirate software you are good, makes sense.

If the apps are useful/important to you buy them. Developers like us all need to eat. The bonus is you are less likely to get mailware.

 

[boss.king]

No, I'm talking about stuff that actively checks wheter a thing that is run is safe to be run. For example Windows Defender and Gatekeeper on mac. iOS does not have this mechanism, since software is checked before it even can be installed on your device. (by Apple). These programs actively scan the software, and then either allow or block them from running. Which means that they take a lot of resources for scanning. (around 30-40%) - a bit less on mac because gatekeeper isn't the best at scanning. (nor does it need to be)

This sounds like splitting hairs to me. But sure, put gatekeeper on the phone if that’s what it takes to calm people down. Let it run when apps install or update from outside of the App Store — for how often people install new apps it really doesn’t matter.

 

[diskrisk]

Walled gardens exist FOR A REASON.

Walled garden theory is a myth.

 

[Madisoda]

My name isn't Cthulhu Stealer so I should be safe, right?

You are correct. Be mindful that if at any time you change your name to Cthulhu Stealer, you will be vulnerable.

 

[Madisoda]

Apple's Macs are less targeted by malware than Windows PCs, but that doesn't mean they are immune. Increasingly, insidious types of Mac malware are being developed that have researchers concerned enough to issue public warnings, and that's the case again today.

As reported by Hacker News, Cado Security has identified a malware-as-a-service (MaaS) targeting macOS users named "Cthulhu Stealer." First spotted in late 2023, the malicious software is designed to steal sensitive information from infected Macs, such as saved passwords from iCloud Keychain, information from web browsers, and even details from Telegram accounts.

What's particularly concerning is that it's being sold as a service on the dark web for $500 per month, potentially allowing multiple bad actors to use it against unsuspecting Mac owners.

Cato Security researcher Tara Gould reports that Cthulhu Stealer disguises itself as popular software to trick users into installing it. It might appear as CleanMyMac, Grand Theft Auto IV, or even Adobe GenP (a tool some users employ to bypass Adobe's subscription model). The malware comes packaged as a disk image (DMG) file.

If a user tries to open the fake app, macOS's built-in security feature, Gatekeeper, warns that the software is unsigned. But if a user chooses to bypass this warning, the malware immediately asks for the user's system password, mimicking a legitimate system prompt. This technique isn't new – other Mac malware like Atomic Stealer and MacStealer use similar tricks.

Once it has the necessary permissions, Cthulhu Stealer can access and steal a wide range of sensitive data. For crypto users, it specifically targets MetaMask digital wallet information. All of this stolen data is then sent to the attackers' servers.

Notably, reports suggest that whoever designed Cthulu Stealer is no longer active, apparently following disputes over payments and accusations of scamming their own customers, i.e. other cybercriminals who were using the malware.

While Cthulhu Stealer isn't the most sophisticated malware out there, it's still a significant threat to Mac users who might be tricked into installing it. General security pointers include only downloading software from trusted sources like the App Store or official developer websites, being wary of any app asking for your system password during installation, and keeping your Mac updated with the latest security patches from Apple.

In macOS Sequoia, expected to be released in mid-September, Apple plans to remove the ability to easily override Gatekeeper warnings by Control-clicking. Instead, users will need to go through System Settings to allow unsigned software to run, adding an extra step that might make users think twice before running potentially dangerous apps.

Article Link: 'Cthulhu Stealer' macOS Malware Can Steal Keychain Passwords, Web Browsing Info, Crypto Wallets, and More

MacOS does not really need a built-in virus/malware/adware approach that mimics Microsoft Defender. 99% of all of the viruses/malware apps/adware apps target the MS Windows OS. This has been true for decades.

I have run on MacOS/prior apple OS's for over 12 years, and never used any anti-virus software. I have never had an issue.

Some have explained that MacOS already has some built-in guards against bad actors, and, sure, there is no reason why Apple could not provide an Apple-made add-on application/service(??); however, given the rarity that malware or virusues or adware affect normal, careful users, I believe Apple is taking the correct approach by letting others provide this functionality.

With Windows, a LOT of the issues stemmed from the OS and MS flag ship programs such as outloook and excel, so it was in their best interest to provide a solution. Also, consider that 99% of all reported viruses/malware/adware issues targeted Microsoft. I will leave it to the reader to determine if this is because Microsoft's underlying OS design is crap, or if there are just a lot of bad actors that hate Microsoft.

 

[dannys1]

They have one already. The questions here is with the malware now being over a year old and already abadoned by its creator:

1. Why are we getting an alert about it from these researchers only now?
2. Why hasn't Apple blocked it already?

===

I feel like the real issue here that nobody has brought up (not just here, but anywhere) is why is the admin account as required and powerful as it is?

It seems like there's a massive failure of properly designing permissions. Why does an admin account have read access to all of the stuff this malware steals? It seems like the only thing that should ever be able to access my browser data on my personal computer is the browser when I'm using it - there shouldn't be an admin account that can bypass that and read the data.

IDK - all of *nix permissions feel dated and improper for usage on personal computers. IDK how permissions work on Windows... do they make more sense over there?

As much as I hate how security and the filesystem works on iOS... I am starting to see the appeal... and honestly, I don't think it goes far enough. All files that an app on iOS saves shouldn't just be sandboxed so that other apps can't read it, but they should be encrypted such that not even any system or admin account can read it - only the app that made it should be able to decrypt and read it. Getting "root" or admin access shouldn't be as big of a deal as it is...

I mean you can just create a standard account on macOS and it has no admin access, but it'd be mostly annoying to work with for anyone but the most technophobic.