Cado Security’s cybersecurity experts have discovered a fresh malware-as-a-service (MaaS) that preys on cryptocurrency holders and macOS users.
First discovered in late 2023, the new macOS malware known as “Cthulhu Stealer” is being offered for $500 a month as a service on the dark web.
The primary function of this malicious malware is to retrieve private data from compromised Macs, including browser cookies, system passwords, passwords saved from iCloud Keychain, cryptocurrency wallets from multiple retailers, game accounts, web browser data, and even Telegram Tdata account information.
Cthulhu Stealer is an Apple disk image (DMG) bundled with two binaries designed for x86_64 and ARM architectures. It is written in GoLang and disguises itself as legitimate software, imitating popular applications such as CleanMyMac, Grand Theft Auto VI, and Adobe GenP, wrote Cato Security researcher Tara Gould in a recent Cado Security report.
The user is prompted to launch the program after mounting the dmg file. The user is prompted to provide their system password through the macOS command-line tool, which executes both JavaScript and AppleScript, after opening the file, osascript.
The user’s MetaMask password is requested in a second popup that appears after entering the first one. After that, a directory called “/Users/Shared/NW” is created to hold text files containing the stolen credentials.
Learn More: How to Use ChatGPT Memory
The malware is also made to use Chainbreak, an open-source utility, to dump iCloud Keychain credentials into Keychain.txt. After being compressed and saved in a ZIP archive file, the stolen data is exfiltrated to an attacker-controlled command-and-control (C2) server.
Once the Cthulhu Stealer malware gains access, it creates a directory in ‘/Users/Shared/NW’ with the stolen credentials stored in text files. It then proceeds to fingerprint the victim’s system, collecting information including the IP address, system name, operating system version, hardware, and software information.
The user is prompted to launch the program after mounting the dmg file. The user is prompted to provide their system password through the macOS command-line tool, which executes both JavaScript and AppleScript, after opening the file, osascript.
The user’s MetaMask password is requested in a second popup that appears after entering the first one. After that, a directory called “/Users/Shared/NW” is created to hold text files containing the stolen credentials.
The malware is also made to use Chainbreak, an open-source utility, to dump iCloud Keychain credentials into Keychain.txt. After being compressed and saved in a ZIP archive file, the stolen data is exfiltrated to an attacker-controlled command-and-control (C2) server. learn more
Discover more from ugamasontech
Subscribe to get the latest posts sent to your email.