'Cthulhu Stealer' macOS Malware Can Steal Keychain Passwords, Web Browsing Info, Crypto Wallets, and

Friday August 23, 2024 7:13 am PDT by Tim Hardwick

https://www.macrumors.com/2024/08/23/cthulu-stealer-macos-malware/

 

Hello @wshrugged



Thank you!

macOS users should continue their best safety practices and do NOT disable or bypass the macOS Gatekeeper.

The current attack vector appears to be innocent, named .DMG Mac files that users must knowingly download.

For the excellent nuts and bolts analysis, please also study:

https://www.cadosecurity.com/blog/from-the-depths-analyzing-the-cthulhu-stealer-malware-for-macos

Thank you again, @wshrugged

 

Thank you, @1PW, for the Cado 'nuts and bolts' link which includes their self-authored YARA rule. Maybe there'll be XProtect and XProtectRemediator updates forthcoming. I've only read a few articles about Cthulhu Stealer and have not seen evidence that macOS currently detects it but macOS sometimes remediates without user notification.

*edited for clarity

 

Hello @wshrugged

Although it could lead to an occasional undesirable outcome, I hope Apple's macOS would accommodate and validate a “dirt simple” adoption of user YARA rules and Bastion filters.

If the current strain of Cthulhu Stealer infiltrates macOS, it likely means that system's Gatekeeper was disabled or bypassed. This will be less possible in macOS 15 Sequoia.

If Apple chooses to prioritize it, additional solutions could be made available on Tuesday, which lately has been the day XProtect/XProtect Remediator updates could be released.

It probably won't be very effective but, on my Mac, I have blocked outgoing access with IP 89.208.103.185:4000, and it's reported to AbuseIPDB.

I did not install the Cado authored YARA rules file, as it seems, the embedded hash value may have a rare and unfortunate collision with other possible malware per VirusTotal. Pity…

Thank you.