New Malware Targets Mac, Steals Crypto from MetaMask

A new malware-as-a-service (MaaS) called "Cthulhu Stealer" is now targeting macOS users, with a specific focus on stealing cryptocurrency from wallets like MetaMask and Binance. This malware disguises itself as legitimate applications, tricking users into entering their passwords, which it then uses to access the system's Keychain and steal sensitive data. Cthulhu Stealer is being offered at $500 per month and is promoted through Telegram, often using fake job offers to lure unsuspecting victims. This discovery by Cado Security challenges the common belief that macOS systems are immune to malware, highlighting that no platform is completely secure.

Cthulhu Stealer operates by posing as well-known software such as CleanMyMac, Adobe GenP, or even a fake early release of "Grand Theft Auto VI." Once users download and mount the malicious DMG file, they are prompted to enter their system and MetaMask passwords. The malware then uses a macOS tool called osascript to extract these passwords from the system’s Keychain. The stolen data, which includes information from various crypto wallets like MetaMask, Coinbase, and Binance, is compiled into a zip archive. This archive, labeled with the user’s country code and the attack time, contains all the captured sensitive information.

In addition to crypto wallets, Cthulhu Stealer also targets a range of other platforms and applications, including Chrome extension wallets, Minecraft user data, Wasabi wallet, Keychain passwords, SafeStorage passwords, Battlenet game data, Firefox cookies, and various other crypto wallets like Electrum, Atomic, Harmony, and more. It also targets browser cookies and Telegram Tdata account information. The malware further collects detailed system information, such as the IP address, system name, and OS version, which it sends to a command and control (C2) server. This enables attackers to refine their strategies for more targeted attacks.

Scammers behind Cthulhu Stealer employ various tactics to deceive users into downloading the malware. For instance, they may pose as employers on social media, offering jobs that require the download of software to track working hours. These job offers are usually presented with a sense of urgency, pushing potential victims to download the application quickly. The Cthulhu Team, which includes the developers and affiliates behind this malware, manage their operations through Telegram.

According to Cado Security, Cthulhu Stealer is rented out for $500 per month, with the main developer sharing profits with affiliates based on their success in deploying the malware. Affiliates are responsible for spreading the malware to victims. Cado also found the malware being sold on two well-known marketplaces, which are commonly used by cybercriminals for communication and advertising.

To protect against this threat, macOS users are advised to install reputable antivirus software specifically designed for their operating system. Users should also be cautious of job offers that require immediate software downloads, as these could be scams to trick them into installing malware. Keeping software up to date is another critical step in reducing the risk of infection, as updates often include security patches that address vulnerabilities exploited by malware like Cthulhu Stealer.

In conclusion, Cthulhu Stealer is a strong reminder that no system is completely safe from cyber threats. By targeting macOS users through deceptive means, this malware has the potential to cause significant harm, particularly by stealing sensitive data from crypto wallets and other applications. As cyber threats continue to evolve, it is essential for users to remain vigilant and take proactive steps to protect their digital assets.