Short Summary:
The article discusses the rise of macOS malware, specifically focusing on a new malware-as-a-service called “Cthulhu Stealer.” This malware, written in GoLang, disguises itself as legitimate software and targets macOS users to steal sensitive information such as passwords and cryptocurrency wallet credentials. The article emphasizes the increasing security concerns for macOS users and offers recommendations for protection against such threats.
Key Points:
- macOS has a growing malware threat despite its reputation for security.
- Cthulhu Stealer is a malware targeting macOS users, identified by Cado Security.
- It is distributed as a disk image (DMG) and prompts users for their passwords.
- The malware collects sensitive information, including MetaMask and Keychain passwords.
- Cthulhu Stealer operates similarly to Atomic Stealer, indicating code modification.
- The malware is marketed as a service on platforms like Telegram and malware marketplaces.
- Users are advised to download software only from trusted sources and enable macOS security features.
MITRE ATT&CK TTPs – created by AI
- User Execution – T1204
- Users are tricked into executing malicious software.
- Command and Scripting Interpreter: Apple Script – T1059.002
- Utilizes osascript to execute scripts prompting for user credentials.
- Credentials From Password Stores – T1555
- Steals credentials from various password stores, including Keychain and web browsers.
- Credentials From Password Stores: Keychain – T1555.001
- Specifically targets macOS Keychain for stored passwords.
- Credentials From Password Stores: Credentials From Web Browser – T1555.003
- Extracts credentials stored in web browsers.
- Account Discovery – T1087
- Gathers information about user accounts on the system.
- System Information Discovery – T1082
- Collects system information including OS version and hardware details.
- Data Staged – T1074
- Prepares stolen data for exfiltration.
- Data From Local System – T1005
- Accesses and collects data from local files.
- Exfiltration Over C2 Channel – T1041
- Exfiltrates stolen data to a command and control server.
- Financial Theft – T1649
- Targets financial information, including cryptocurrency wallets.
For years there has been a general belief in the Zeitgeist that macOS systems are immune to malware. While MacOS has a reputation for being secure, macOS malware has been trending up in recent years with the emergence of Silver Sparrow, KeRanger, and Atomic Stealer, among others. Recently, Cado Security has identified a malware-as-a-service (MaaS) targeting macOS users named “Cthulhu Stealer”. This blog will explore the functionality of this malware and provide insight into how its operators carry out their activities.
File details:
Language: Go
Not Signed
Stripped
Multiarch: x86_64 and arm
Figure 1: Screenshot of disk image when mounted
Cthulhu Stealer is an Apple disk image (DMG) that is bundled with two binaries, depending on the architecture. The malware is written in GoLang and disguises itself as legitimate software. Once the user mounts the dmg, the user is prompted to open the software. After opening the file, osascript, the macOS command-line tool for running AppleScript and JavaScript is used to prompt the user for their password.
Figure 2: Password Prompt
Figure 3: Osascript prompting user for password
Once the user enters their password, a second prompt requests the user’s MetaMask password. A directory is created in ‘/Users/Shared/NW’ with the credentials stored in textfiles. Chainbreak is used to dump Keychain passwords and stores the details in Keychain.txt.
Figure 4: Password prompt for MetaMask
Figure 5: Directory /Users/Shared/NW with created files
A zip archive containing the stolen data is created in: /Users/Shared/NW/[CountryCode]Cthulhu_Mac_OS_[date]_[time].zip. Additionally, a notification is sent to the C2, to alert to new logs. The malware fingerprints the victim’s system, gathering information including IP, with IP details that are retrieved from ipinfo.io. System information including system name, OS version, hardware and software information are also gathered and stored in a text file, shown in Figure 7 and 8.
Figure 6: Parsed IP Details
Figure 7: Contents of ‘Userinfo.txt’
Figure 8: Part of the function saving system information to text file
Figure 9: Alert of Log that is sent to operators
Cthulhu Stealer impersonates disk images of legitimate software that include:
- CleanMyMac
- Grand Theft Auto IV (appears to be a typo for VI)
- Adobe GenP
The main functionality of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various stores, including game accounts. Shown in Figure 10, there are multiple checker functions that check in the installation folders of targeted file stores, typically in “Library/Application Support/[file store]”. A directory is created in /Users/Shared/NW and the contents of the installation folder are dumped into text files for each store.
Figure 10: “Checker” functions being called in main function
Figure 11: Function BattleNetChecker
A list of stores Cthulhu Stealer steals from is shown in Table 1.
Table 1: List of stolen data
|
Browser Cookies |
|
Coinbase Wallet |
|
Chrome Extension Wallets |
|
Telegram Tdata account information |
|
Minecraft user information |
|
Wasabi Wallet |
|
MetaMask Wallet |
|
Keychain Passwords |
|
SafeStorage Passwords |
|
Battlenet game, cache and log data |
|
Firefox Cookies |
|
Daedalus Wallet |
|
Electrum Wallet |
|
Atomic Wallet |
|
Binanace Wallet |
|
Harmony Wallet |
|
Electrum Wallet |
|
Enjin Wallet |
|
Hoo Wallet |
|
Dapper Wallet |
|
Coinomi Wallet |
|
Trust Wallet |
|
Blockchain Wallet |
|
XDeFI Wallet |
Comparison to Atomic Stealer
Atomic Stealer is an infostealer that targets macOS written in Go that was first identified in 2023. Atomic Stealer steals crypto wallets, browser credentials, and keychain. The stealer is sold on Telegram to affiliates for $1000 per month. The functionality and features of Cthulhu Stealer are very similar to Atomic Stealer, indicating the developer of Cthulhu Stealer probably took Atomic Stealer and modified the code. The use of osascript to prompt the user for their password is similar in Atomic Stealer and Cthulhu, even including the same spelling mistakes.
Forum and Operators
The developers and affiliates of Cthulhu Stealer operate as “Cthulhu Team” using Telegram for communications. The stealer appears to be being rented out to individuals for $500/month, with the main developer paying out a percentage of earnings to affiliates based on their deployment. Each affiliate of the stealer is responsible for the deployment of the malware. Cado has found Cthulhu stealer sold on two well-known malware marketplaces which are used for communication, arbitration and advertising of the stealer, along with Telegram. The user “Cthulhu” (also known as Balaclavv), first started advertising Cthulhu in at the end of 2023 and appeared to be operating for the first few months of 2024.
Various affiliates of the stealer started lodging complaints against Cthulhu in 2024 with regards to payments not being received. Users complained that Cthulhu had stolen money that was owed to them and accused him of being a scammer or participating in an exit scam. As a result, he received a permanent ban from the marketplace.
Figure 12: Screenshot of an arbitration an affiliate lodged against Cthulhu
In conclusion, while macOS has long been considered a secure system, the existence of malware targeting Mac users remains an increasing security concern. Although Cthulhu Team is seemingly no longer active, this serves as a reminder that Apple users are not immune to cyber threats. It’s crucial to remain vigilant and exercise caution, particularly when installing software from unofficial sources.
To protect yourself from potential threats, always download software from trusted sources, such as the Apple App Store or the official websites of reputable developers. Enable macOS’s built-in security features such as Gatekeeper, which helps prevent the installation of unverified apps. Keep your system and applications up to date with the latest security patches. Additionally, consider using reputable antivirus software to provide an extra layer of protection.
By staying informed and taking proactive steps, you can significantly reduce the risk of falling victim to Mac malware and ensure your system remains secure.
|
Filename |
sha256 |
|
Launch.dmg |
6483094f7784c424891644a85d5535688c8969666e16a194d397dc66779b0b12 |
|
GTAIV_EarlyAccess_MACOS_Release.dmg |
e3f1e91de8af95cd56ec95737669c3512f90cecbc6696579ae2be349e30327a7 |
|
AdobeGenP.dmg |
f79b7cbc653696af0dbd867c0a5d47698bcfc05f63b665ad48018d2610b7e97b |
|
Setup2024.dmg |
de33b7fb6f3d77101f81822c58540c87bd7323896913130268b9ce24f8c61e24 |
|
CleanMyMac.dmg |
96f80fef3323e5bc0ce067cd7a93b9739174e29f786b09357125550a033b0288 |
|
Network Indicators |
|
89[.]208.103.185 |
|
89[.]208.103.185:4000/autocheckbytes |
|
89[.]208.103.185:4000/notification_archive |
|
Technique Name |
ID |
|
User Execution |
T1204 |
|
Command and Scripting Interpreter: Apple Script |
T1059.002 |
|
Credentials From Password Stores |
T1555 |
|
Credentials From Password Stores: Keychain |
T1555.001 |
|
Credentials From Password Stores: Credentials From Web Browser |
T1555.003 |
|
Account Discovery |
T1087 |
|
System Information Discovery |
T1082 |
|
Data Staged |
T1074 |
|
Data From Local System |
T1005 |
|
Exfiltration Over C2 Channel |
T1041 |
|
Financial Theft |
T1649 |
|
rule MacoOS_CthulhuStealer { |
Paths
/Users/Shared/NW
Source: https://www.cadosecurity.com/blog/from-the-depths-analyzing-the-cthulhu-stealer-malware-for-macos