Researchers at Cato Networks have discovered a macOS virus that can steal passwords from iCloud Keychain, the location where Macs store their logins. Dubbed Cthulhu Stealer, the malware is a classic Trojan horse that pretends to be a real program to infect your device. The malicious program is still active, even though the group responsible for it no longer exists — it operated as a Malware-as-a-Service.

The virus affects both Macs with Intel processors and models with Apple chips. Among the programs that Cthulhu Stealer impersonates are GTA IV, CleanMyMac and Adobe GenP. This is software that activates Creative Cloud and allows you to use Adobe programs without an activation key.

Malware asks for system password after execution

After the user authorizes the program to run, bypassing the Gatekeeper warning, Cthulhu Stealer asks for the Mac’s password. This allows the malware to access system information and steal data from the iCloud Keychain.

The malware also asks users to enter their MetaMask cryptocurrency wallet password, if they have one. But with access to iCloud KeyChain, hackers can access passwords saved in these wallets, gaming platforms (Steam, Epic) and e-commerce sites. According to Cato Networks, Cthulhu Stealer also captures browser cookies and Telegram information.

Apple and the “sense of security”

One of the risks to the spread of the Cthulhu Stealer is the high level of trust among macOS and iOS users in the security of their devices. While Windows and Linux systems are prime targets for hackers, this does not make Macs immune to attacks.

To resolve similar cases, Apple will introduce the good old method of annoying people in macOS Sequoia. If Gatekeeper does not validate the program’s signature, the user will have to open the settings, go to the Privacy and Security menu and then approve the execution of the program.

A simple but very effective solution for those users who don’t want to put in a lot of effort to run any program.

Source(s): 9to5Mac and The Hacker News.