Cthulhu Stealer (Infostealer) – Malware

Overview

Over the past decade, macOS has built a reputation for being one of the most secure operating systems, with many users believing it to be immune to malware and cyberattacks. However, as the popularity of Apple devices continues to grow, so does the interest of cybercriminals in targeting macOS systems. Although macOS malware has remained less prevalent compared to other platforms, recent trends have shown an uptick in attacks specifically designed for macOS. One such emerging threat is Cthulhu Stealer, a sophisticated malware-as-a-service (MaaS) operation that has recently gained attention for its targeted attacks on cryptocurrency users, gamers, and others with valuable digital assets. Identified by Cado Security, Cthulhu Stealer is part of a new wave of macOS threats, leveraging social engineering techniques and exploiting popular applications to exfiltrate sensitive data.

The Cthulhu Stealer malware is a prime example of how cybercriminals are evolving their tactics to compromise macOS systems. The malware masquerades as legitimate software, often packaged as a disk image (DMG), to trick users into unknowingly executing the malicious payload. Once installed, Cthulhu Stealer utilizes various techniques to steal sensitive information, including cryptocurrency wallet credentials, browsing cookies, and even game account data. Its functionality is particularly concerning due to its stealthy nature and ability to impersonate trusted applications such as CleanMyMac, Grand Theft Auto IV, and Adobe GenP, making detection by the average user challenging.

Targets

Individuals

How they operate

Deployment and Execution Process

The malware is distributed as a macOS disk image (DMG), a file format commonly used for macOS applications. Cthulhu Stealer masquerades as legitimate software such as CleanMyMac or even popular games like Grand Theft Auto IV, enticing users to mount and execute the infected DMG file. Once opened, the malware uses osascript, a legitimate macOS tool, to display a prompt requesting the user’s system password. This tactic is a form of social engineering, tricking users into providing their credentials to the malware. The password prompt is designed to look like a standard macOS system authorization request, making it difficult for users to detect malicious activity.

Once the user enters their macOS password, Cthulhu Stealer continues its operation by requesting the user’s MetaMask wallet password through a similar script. Upon successful input, the malware creates a hidden directory on the system (/Users/Shared/NW) and begins collecting sensitive data. The use of osascript, a trusted macOS utility, allows the malware to operate covertly without triggering alarms, making it difficult to detect by traditional security tools.

Data Collection and Credential Dumping

Cthulhu Stealer’s primary objective is to exfiltrate a wide range of credentials and personal information from infected systems. The malware collects browser cookies, password manager data, and cryptocurrency wallet credentials, with a particular focus on popular wallets like MetaMask, Coinbase Wallet, and others. It achieves this through a series of “checker” functions that probe various installation directories within the system’s file structure. These directories, such as Library/Application Support/[file store], contain key information for targeted applications, including game data and cryptocurrency wallets.

In addition to browser and wallet data, Cthulhu Stealer also employs Chainbreak, a tool designed to dump passwords from macOS’s Keychain. Keychain is a built-in macOS feature that stores and encrypts user credentials for applications and websites. By dumping the contents of the Keychain, Cthulhu Stealer can extract login credentials for a variety of services, including email, social media, and financial platforms. These credentials are stored in text files and later packaged into a zip archive for exfiltration.

Exfiltration and Command and Control

Once Cthulhu Stealer has gathered the necessary data, it creates a zip archive containing the stolen information and stores it in the previously created directory. The archive is named with a timestamp and the victim’s country code, ensuring that the stolen data is easily identifiable. At this stage, the malware establishes communication with its Command and Control (C2) server to exfiltrate the data. The C2 communication allows the attacker to receive the stolen information and issue further commands to the infected system if necessary.

Cthulhu Stealer also fingerprints the infected system, gathering details such as the system’s IP address, OS version, hardware, and software information. This data is saved in text files and sent to the C2 server, providing the attacker with valuable intelligence on the infected machine. The malware uses services like ipinfo.io to retrieve the victim’s IP address and geolocation, adding another layer of information to its exfiltration process.

Comparison to Atomic Stealer

Cthulhu Stealer shares many similarities with another macOS-based malware, Atomic Stealer, which was identified in 2023. Both malware strains are written in GoLang and use osascript for social engineering, requesting system and cryptocurrency wallet passwords. The similarities in functionality and code suggest that Cthulhu Stealer may have been derived from or inspired by Atomic Stealer, with modifications to enhance its effectiveness and target different wallet applications. The operational models for both malware variants also appear to be similar, with Cthulhu Stealer operating as a malware-as-a-service (MaaS) offering that affiliates can rent for a monthly fee.

MITRE Tactics and Techniques

Initial Access (T1071)

Cthulhu Stealer often gains initial access by masquerading as legitimate software, such as applications like CleanMyMac or Grand Theft Auto IV. These disk images (DMG files) are designed to trick users into downloading and executing the malware.

Execution (T1106)

Once the DMG is mounted and the application is run, the malware uses osascript to prompt the user for their macOS password and MetaMask credentials. This tactic allows the malware to execute its malicious functions by leveraging a legitimate macOS tool (osascript), bypassing user suspicion.

Persistence (T1547)

The malware may install itself and configure its persistence mechanisms in hidden or deceptive directories, such as /Users/Shared/NW, ensuring that it remains active on the system after initial execution.

Credential Dumping (T1003)

Cthulhu Stealer is designed to steal credentials, including keychain passwords and cryptocurrency wallet information (such as MetaMask and Coinbase wallet). It utilizes tools like Chainbreak to dump stored passwords from macOS’s Keychain.

Collection (T1119, T1083)

It collects sensitive information from various sources, including browser cookies, wallets (e.g., MetaMask, Coinbase), and game data (e.g., BattleNet, Telegram). The collected data is saved in text files, and a zip archive containing the stolen data is created.

Exfiltration (T1041)

Once the malware has successfully gathered the necessary data, it creates a zip archive and sends this information to its command-and-control (C2) server. This tactic involves exfiltrating stolen data from the infected system to the attacker’s server.

Command and Control (T1071)

Cthulhu Stealer communicates with its C2 server via HTTP or similar protocols, sending stolen data and receiving updates or commands. The malware sends alerts and log data to its operator, notifying them of successful infections.

Impact (T1486)

While the main function of Cthulhu Stealer is data exfiltration, the theft of credentials, personal information, and cryptocurrency can have significant financial and reputational consequences for victims.

References:

• From the Depths: Analyzing the Cthulhu Stealer Malware for macOS