For years there has been a general belief in the Zeitgeist that macOS systems are immune to malware. While MacOS has a reputation for being secure, macOS malware has been trending up in recent years with the emergence of Silver Sparrow, KeRanger, and Atomic Stealer, among others. Recently, Cado Security has identified a malware-as-a-service (MaaS) targeting macOS users named “Cthulhu Stealer”. This blog will explore the functionality of this malware and provide insight into how its operators carry out their activities.

Technical Analysis

File details:

Language: Go

Not Signed

Stripped

Multiarch: x86_64 and arm

Figure 1: Screenshot of disk image when mounted

Cthulhu Stealer is an Apple disk image (DMG) that is bundled with two binaries, depending on the architecture. The malware is written in GoLang and disguises itself as legitimate software. Once the user mounts the dmg, the user is prompted to open the software. After opening the file, osascript, the macOS command-line tool for running AppleScript and JavaScript is used to prompt the user for their password. 

Figure 2: Password Prompt 

Figure 3: Osascript prompting user for password

Once the user enters their password, a second prompt requests the user’s MetaMask password. A directory is created in ‘/Users/Shared/NW’ with the credentials stored in textfiles. Chainbreak is used to dump Keychain passwords and stores the details in Keychain.txt.

Figure 4: Password prompt for MetaMask

Figure 5: Directory /Users/Shared/NW with created files

A zip archive containing the stolen data is created in: /Users/Shared/NW/[CountryCode]Cthulhu_Mac_OS_[date]_[time].zip. Additionally, a notification is sent to the C2, to alert to new logs. The malware fingerprints the victim’s system, gathering information including IP, with IP details that are retrieved from ipinfo.io. System information including system name, OS version, hardware and software information are also gathered and stored in a text file, shown in Figure 7 and 8. 

Figure 6: Parsed IP Details 

Figure 7: Contents of ‘Userinfo.txt’

Figure 8: Part of the function saving system information to text file

Figure 9: Alert of Log that is sent to operators

Cthulhu Stealer impersonates disk images of legitimate software that include:

• CleanMyMac
• Grand Theft Auto IV (appears to be a typo for VI)
• Adobe GenP

The main functionality of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various stores, including game accounts. Shown in Figure 10, there are multiple checker functions that check in the installation folders of targeted file stores, typically in “Library/Application Support/[file store]”. A directory is created in /Users/Shared/NW and the contents of the installation folder are dumped into text files for each store.

Figure 10: “Checker” functions being called in main function

Figure 11: Function BattleNetChecker

A list of stores Cthulhu Stealer steals from is shown in Table 1.

Table 1: List of stolen data

Comparison to Atomic Stealer

Atomic Stealer is an infostealer that targets macOS written in Go that was first identified in 2023. Atomic Stealer steals crypto wallets, browser credentials, and keychain. The stealer is sold on Telegram to affiliates for $1000 per month. The functionality and features of Cthulhu Stealer are very similar to Atomic Stealer, indicating the developer of Cthulhu Stealer probably took Atomic Stealer and modified the code. The use of osascript to prompt the user for their password is similar in Atomic Stealer and Cthulhu, even including the same spelling mistakes. 

Forum and Operators

The developers and affiliates of Cthulhu Stealer operate as “Cthulhu Team” using Telegram for communications. The stealer appears to be being rented out to individuals for $500/month, with the main developer paying out a percentage of earnings to affiliates based on their deployment. Each affiliate of the stealer is responsible for the deployment of the malware. Cado has found Cthulhu stealer sold on two well-known malware marketplaces which are used for communication, arbitration and advertising of the stealer, along with Telegram. The user “Cthulhu” (also known as Balaclavv), first started advertising Cthulhu in at the end of 2023 and appeared to be operating for the first few months of 2024. 

Various affiliates of the stealer started lodging complaints against Cthulhu in 2024 with regards to payments not being received. Users complained that Cthulhu had stolen money that was owed to them and accused him of being a scammer or participating in an exit scam. As a result, he received a permanent ban from the marketplace.

Figure 12: Screenshot of an arbitration an affiliate lodged against Cthulhu

Key Takeaways 

In conclusion, while macOS has long been considered a secure system, the existence of malware targeting Mac users remains an increasing security concern. Although Cthulhu Team is seemingly no longer active, this serves as a reminder that Apple users are not immune to cyber threats. It’s crucial to remain vigilant and exercise caution, particularly when installing software from unofficial sources.

To protect yourself from potential threats, always download software from trusted sources, such as the Apple App Store or the official websites of reputable developers. Enable macOS’s built-in security features such as Gatekeeper, which helps prevent the installation of unverified apps. Keep your system and applications up to date with the latest security patches. Additionally, consider using reputable antivirus software to provide an extra layer of protection.

By staying informed and taking proactive steps, you can significantly reduce the risk of falling victim to Mac malware and ensure your system remains secure.

Indicators of Compromise

MITRE ATTACK

Detection

Yara

Paths

/Users/Shared/NW