A new infostealer is trying to ride the coattails of one of the most prevalent malware tools on the planet, taking advantage of some inherent security shortcomings in macOS environments.

In a new blog post, Cado Security discusses “Cthulhu Stealer,” a new cybercrime tool making the rounds lately. It’s designed to nab cryptocurrency wallet and gaming credentials, as well as browser data. It isn’t particularly sophisticated, perhaps because it doesn’t have to be. Atomic Stealer — Cthulhu’s progenitor — has proven as much. In the past couple of years, this basically average stealer has become one of the most prevalent malwares across the globe. Perhaps, experts suggest, that has to do with some of the ways in which the security community has looked past Macs in the past.

Case Study: Cthulhu Stealer

Cthulhu Stealer is an Apple disk image (DMG) written in Golang. It typically arrives in front of a victim’s eyeballs masked as a legitimate software program, like the CleanMyMac maintenance tool or the Grand Theft Auto video game.

When opened, the program asks for the victim’s system password and, illogically, their Metamask cryptocurrency wallet password.

“It should look suspicious to users, but sometimes people download stuff and they might not be thinking,” notes Tara Gould, threat researcher at Cado Security. With Cthulhu’s target demographic in particular, “They could be younger, or maybe not as well-versed in computers. There’s a whole host of reasons why it may not potentially flag as suspicious.”

Once planted, the program gathers system data, such as its IP address, OS version, and various hardware and software information. Then it goes after its real aim: crypto, game account, and browser credentials. Targeted apps include the Coinbase, Binance, and Atomic crypto wallets, Firefox cookies, and Battle.net and Minecraft user data.

Despite running for $500 per month on cybercrime forums, Cthulhu Stealer is essentially unsophisticated, without any standout stealth techniques, and largely indistinguishable from at least one other commercially available offering in the underground.

The Road Atomic Stealer Paved

The most notable feature of Cthulhu Stealer is how closely it copies Atomic Stealer. Not only do they share many of the same functionalities and features, but Cthulhu Stealer even includes some of the same typos in Atomic Stealer’s code.

Atomic Stealer isn’t so remarkable itself. Previously, Dark Reading noted its lack of a persistence mechanism, and characterized it as “smash and grab” by nature. Still, it’s no wonder that other malware authors might want to copy it, since it’s one of the most successful infostealers in the world today.

In a report last month, Red Canary ranked it as the sixth most prevalent malware in the wild today, tied with the popular SocGholish and Lumma, and the ubiquitous Cobalt Strike. Its sixth place finish is actually a step down from previous Red Canary reports, which have included Atomic Stealer in its top 10 lists for the entirety of 2024 thus far.

“The fact that any macOS threat would make the top 10 is pretty staggering,” notes Brian Donohue, principal information security specialist with Red Canary. “I would venture to guess that any organization that has a meaningful footprint of macOS devices probably has Atomic Stealer lurking somewhere in their environment.”

How Enterprises Should Handle macOS Threats

Threats to macOS are distinctly less common than to Windows and Linux, with Elastic data from 2022 and 2023 suggesting that only around 6% of all malware can be found on these systems.

“Windows is still targeted the most, because large corporations all tend to still be very Windows-heavy, but that is shifting. A lot of enterprises are starting to increase the amount of Macs they have, so it is definitely going to become more of an issue,” Gould says.

Hackers aren’t all jumping on the bandwagon yet, but there is growing interest, perhaps because there’s so little interest on the part of defenders.

In an email to Dark Reading, Jake King, head of threat and security intelligence at Elastic, indicated that threats to Macs have risen less than 1% over the past year, adding, “While we’re not observing significant growth patterns that indicate enterprise-specific targeting of MacOS, it may be attributed to a lower volume of telemetry acquired from this OS. We have observed several novel approaches to exploiting vulnerabilities over the calendar year that indicate adversarial interest across a number of campaigns.” In other words: the data may indicate a lack of interest in macOS from attackers, or from defenders.

If runaway successes like Atomic Stealer do inspire more hackers to move operating systems, defenders will be working from a disadvantageous position, thanks to years of disinterest from the security community.

As Donohue explains, “A lot of enterprises adopt macOS systems for engineers and administrators, so a lot of the people who are using macOS machines are, by default, either highly privileged or dealing with sensitive information. And my suspicion is that there is less expertise in macOS threats across those organizations.”

There’s also less tooling, Donohue adds. “Take something like EDR, as an example. These started out as tools for protecting Windows systems and then were later co-opted into being tools for protecting macOS systems as well. And Windows machines have really robust application control policies, but there isn’t really similar functionality in macOS Gatekeeper (which is roughly analogous to Windows Defender). It’s pretty good at finding malicious binaries and creating YARA rules and signatures for them, but a lot of malware developers have been able to sidestep it.”

Elastic’s King adds, “Default operating system controls, while effective, are likely not evolving at a rate alongside adversarial behaviors.” For this reason, King says, “Ensuring sensible access permissions, sufficient hardening controls, and instrumentation that allows for organizations to observe or prevent threats on macOS systems remains important.”