Key Takeaways
What is Cthulhu?
The malware is written in Go. It is delivered as a DMG bundled with two binaries, depending on what architecture is being targeted, and masquerades as legitimate software. Apps it impersonates include CleanMyMac, Grand Theft Auto IV, and Adobe GenP. Users must explicitly allow the unsigned file to run, which bypasses Gatekeeper protections. Osascript prompts the user to enter their system password. They are then prompted to enter their MetaMask password.
Cthulhu fingerprints the victim’s machine, gathering information including system name, OS version, and hardware and software information. Cthulhu is capable of stealing Keychain passwords using Chainbreaker, an open-source tool. It also steals browser cookies, cryptocurrency wallets, game accounts, and Telegram account information. Targeted cryptocurrency wallets include Coinbase wallet, Wasabi wallet, MetaMask wallet, Daedalus wallet, Electrum wallet, Atomic wallet, Binance wallet, Harmony wallet, Enjin wallet, Hoo wallet, Dapper wallet, Coinomi wallet, Trust wallet, Blockchain wallet, and XDeFi wallet. Targeted games include Minecraft as well as Blizzard games via Battle.net. The stolen data is compressed into a ZIP file and exfiltrated to the C2.
Cado Security researchers note Cthulhu’s functionality is similar to that of Atomic stealer, and it is likely Cthulhu is based on modified Atomic code. Cthulhu is not a particularly sophisticated stealer and does not have stealth capabilities.
IOCs
PolySwarm has a sample of Cthulhu.
6483094f7784c424891644a85d5535688c8969666e16a194d397dc66779b0b12
You can use the following CLI command to search for all Cthulhu samples in our portal:
$ polyswarm link list -f Cthulhu
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.