Apple Mac Users Warned About ‘Cthulhu Stealer’ Malware Targeting Crypto Wallets

Cybersecurity firm Cado Security has warned Apple Mac users regarding a new malware variant named “Cthulhu Stealer,” which is designed to steal personal information and target cryptocurrency wallets.

In a recent report, Cado Security highlighted the growing threat to macOS users.

“While MacOS has a reputation for being secure, macOS malware has been trending up in recent years,” the firm stated.

Cthulhu Stealer Masquerades as Legitimate Software

The Cthulhu Stealer malware masquerades as legitimate software, such as CleanMyMac or Adobe GenP, appearing in the form of an Apple disk image (DMG).

Once users download and open this file, they are prompted to enter their password through macOS’s command-line tool, which runs AppleScript and JavaScript.

After the initial password is entered, the malware prompts for a second password, specifically targeting the Ethereum wallet MetaMask.

Recently, Cado Security has identified a malware-as-a-service (MaaS) targeting macOS users named “Cthulhu Stealer”. This blog will explore the functionality of this malware and provide insight into how its operators carry out their activities: https://t.co/nJCt6RnUfG

— Cado (@CadoSecurity) August 22, 2024

Other popular crypto wallets, including those from Coinbase, Wasabi, Electrum, Atomic, Binance, and Blockchain Wallet, are also at risk.

Once Cthulhu Stealer gains access, it stores the stolen data in text files and proceeds to fingerprint the victim’s system, collecting information such as IP address and operating system version.

“The main functionality of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various stores, including game accounts,” Tara Gould, a researcher at Cado Security, said.

Cthulhu Stealer shares similarities with another piece of malware called Atomic Stealer, which was discovered in 2023 targeting Apple computers.

Gould suggests that the developer behind Cthulhu Stealer likely modified Atomic Stealer’s code to create this new strain.

The malware has been rented out to affiliates for $500 per month through the Telegram messaging platform, with profits shared among the developers.

However, recent disputes over payments have reportedly caused the main scammers to disappear, leading to accusations of an exit scam.

The rise of Cthulhu Stealer and other similar threats, like the AMOS malware that clones Ledger Live software, has prompted Apple to take action.

The tech giant recently announced updates to its macOS, making it more difficult for users to bypass Gatekeeper protections that ensure only trusted applications are run.

Florida Woman Sues Google Over Play Store Crypto Scam

In another incident, Florida resident Maria Vaca has filed a lawsuit against Google, alleging that the tech giant’s negligence led to her losing over $5 million.

The lawsuit argued that she was deceived by a crypto investment app called Yobit Pro, which she downloaded from the Google Play Store.

In April, Google sued two developers for creating 87 fraudulent apps that scammed over 100,000 users, including 8,700 U.S. residents.

Although Yobit Pro was not mentioned in Google’s lawsuit, the tactics described mirror Vaca’s experience.

These include fraudulent apps luring users with promises of high returns, only to demand additional payments under the guise of taxes or fees, with no intention of allowing users to withdraw their funds.

Meanwhile, Google has launched a feature allowing users to search balances of wallets on Bitcoin, Arbitrum, Avalanche, Optimism, Polygon, and Fantom blockchain.