New MacOS malware targets a wide range of popular crypto wallets
New MacOS malware targets a wide range of popular crypto wallets
A new threat has emerged in the cybercrime landscape, targeting macOS users and their cryptocurrency assets. Dubbed "Cthulhu Stealer," this malware-as-a-service (MaaS) exploits the growing popularity of cryptocurrencies by stealing from digital wallets.
The new malware, as reported by BeInCrypto, is cleverly disguised as legitimate applications, tricking users into providing access to their systems, which it then exploits to extract sensitive data.
The malware’s operation begins when a user unknowingly installs a malicious DMG file masquerading as popular software like CleanMyMac or even an early release of Grand Theft Auto VI. Upon installation, the malware prompts users to enter system and wallet passwords. Utilizing macOS's osascript tool, it collects these credentials from the system's Keychain, which are then compiled along with other sensitive data, including information from various crypto wallets, browser cookies, and system details.
The in-depth technical analysis by Cado Security highlights the persistent vulnerability of even macOS systems, traditionally considered more secure than their Windows counterparts.
The Cthulhu Stealer doesn’t limit its reach to well-known crypto software. It targets a wide range of platforms and data, including:
- Chrome extension wallets
- Minecraft user information
- Wasabi wallet
- Keychain passwords
- SafeStorage passwords
- Battlenet game, cache, and log data
- Firefox cookies
- Daedalus wallet
- Electrum wallet
- Atomic wallet
- Harmony wallet
- Electrum wallet
- Enjin wallet
- Hoo wallet
- Dapper wallet
- Coinomi wallet
- Trust wallet
- Blockchain wallet
- XDeFi wallet
- Browser cookies
- Telegram account information.
The collected information, packaged in a zip archive labeled with the user’s country code and the attack time, is then utilized for further exploitation.
Scammers operating this malware charge $500 per month for its use, promoting it through Telegram and various malware marketplaces. They employ deceptive tactics, such as posing as employers offering fake job opportunities that require downloading working hours tracking software, to lure victims into installing the malware.
To mitigate the risk of infection, users are advised to install reputable antivirus software tailored for macOS and to exercise caution when downloading software, especially from unfamiliar sources or under urgent circumstances.
