The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Cthulhu MacOS Stealer

Aug 30, 2024 2:09:06 PM / by The Hivemind

CTTHULURelated Families: Atomic Stealer

Executive Summary

Cthulhu is a stealer malware targeting MacOS systems. First observed in 2023, this malware-as-a-service  (MaaS) is capable of targeting both x86_64 and ARM architectures.

Key Takeaways

  • Cthulhu is a stealer malware targeting MacOS systems.
  • First observed in 2023, it is capable of targeting both x86_64 and ARM architectures.
  • It masquerades as legitimate software. 
  • Cthulhu is capable of stealing Keychain passwords, browser cookies, cryptocurrency wallets, game accounts, and Telegram account information.

What is Cthulhu?

Cthulhu is a stealer malware targeting MacOS systems. First observed in 2023, this malware-as-a-service  (MaaS) is capable of targeting both x86_64 and ARM architectures. Cado Security recently reported on Cthulhu. 

The malware is written in Go. It is delivered as a DMG bundled with two binaries, depending on what architecture is being targeted, and masquerades as legitimate software. Apps it impersonates include CleanMyMac, Grand Theft Auto IV, and Adobe GenP. Users must explicitly allow the unsigned file to run, which bypasses Gatekeeper protections. Osascript prompts the user to enter their system password. They are then prompted to enter their MetaMask password.

Cthulhu fingerprints the victim’s machine, gathering information including system name, OS version, and hardware and software information. Cthulhu is capable of stealing Keychain passwords using Chainbreaker, an open-source tool. It also steals browser cookies, cryptocurrency wallets, game accounts, and Telegram account information. Targeted cryptocurrency wallets include Coinbase wallet, Wasabi wallet, MetaMask wallet, Daedalus wallet, Electrum wallet, Atomic wallet, Binance wallet, Harmony wallet, Enjin wallet, Hoo wallet, Dapper wallet, Coinomi wallet, Trust wallet, Blockchain wallet, and XDeFi wallet. Targeted games include Minecraft as well as Blizzard games via Battle.net. The stolen data is compressed into a ZIP file and exfiltrated to the C2. 

Cado Security researchers note Cthulhu’s functionality is similar to that of Atomic stealer, and it is likely Cthulhu is based on modified Atomic code. Cthulhu is not a particularly sophisticated stealer and does not have stealth capabilities.  

IOCs

PolySwarm has a sample of Cthulhu.

 

6483094f7784c424891644a85d5535688c8969666e16a194d397dc66779b0b12

 

You can use the following CLI command to search for all Cthulhu samples in our portal:

$ polyswarm link list -f Cthulhu

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

Topics: Threat Bulletin, Stealer, MacOS, Cthulhu

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More