The article analyzes the macOS malware landscape focusing on a new malware-as-a-service called “Cthulhu Stealer,” a GoLang-infostealer targeting Mac users by disguising as legitimate software and stealing credentials and cryptocurrency wallet data. It covers distribution as a DMG, data collection practices, attacker infrastructure, and protective recommendations for macOS users.
#CthulhuStealer #CadoSecurity #MetaMask #Keychain #Telegram #AtomicStealer
#CthulhuStealer #CadoSecurity #MetaMask #Keychain #Telegram #AtomicStealer
Keypoints
- New macOS infostealer as a service named “Cthulhu Stealer” identified by Cado Security.
- Distributed as a disk image (DMG) that prompts users to grant password access.
- Steals credentials from Keychain and web browsers, plus cryptocurrency wallets like MetaMask.
- Operates similarly to Atomic Stealer, suggesting code modification and reuse.
- Marketed via Telegram and malware marketplaces with affiliates and rental/royalty arrangements.
- Recommendations emphasize downloading from trusted sources and enabling macOS security features like Gatekeeper.
MITRE Techniques
- [T1204] User Execution – Brief description of how it was used. Quote relevant content using bracket (‘Users are tricked into executing malicious software.’)
- [T1059.002] Command and Scripting Interpreter: Apple Script – Brief description of how it was used. Quote relevant content using bracket (‘Utilizes osascript to execute scripts prompting for user credentials.’)
- [T1555] Credentials From Password Stores – Brief description of how it was used. Quote relevant content using bracket (‘Steals credentials from various password stores, including Keychain and web browsers.’)
- [T1555.001] Credentials From Password Stores: Keychain – Brief description of how it was used. Quote relevant content using bracket (‘Specifically targets macOS Keychain for stored passwords.’)
- [T1555.003] Credentials From Password Stores: Credentials From Web Browser – Brief description of how it was used. Quote relevant content using bracket (‘Extracts credentials stored in web browsers.’)
- [T1087] Account Discovery – Brief description of how it was used. Quote relevant content using bracket (‘Gathers information about user accounts on the system.’)
- [T1082] System Information Discovery – Brief description of how it was used. Quote relevant content using bracket (‘Collects system information including OS version and hardware details.’)
- [T1074] Data Staged – Brief description of how it was used. Quote relevant content using bracket (‘Prepares stolen data for exfiltration.’)
- [T1005] Data From Local System – Brief description of how it was used. Quote relevant content using bracket (‘Accesses and collects data from local files.’)
- [T1041] Exfiltration Over C2 Channel – Brief description of how it was used. Quote relevant content using bracket (‘Exfiltrates stolen data to a command and control server.’)
- [T1649] Financial Theft – Brief description of how it was used. Quote relevant content using bracket (‘Targets financial information, including cryptocurrency wallets.’)
Indicators of Compromise
- [Network] C2 server and endpoints – 89.208.103.185, 89.208.103.185:4000/autocheckbytes, 89.208.103.185:4000/notification_archive
- [SHA256] Malware payload hashes – Launch.dmg: 6483094f7784c424891644a85d5535688c8969666e16a194d397dc66779b0b12, CleanMyMac.dmg: 96f80fef3323e5bc0ce067cd7a93b9739174e29f786b09357125550a033b0288
- [SHA256] Additional sample hashes – GTAIV_EarlyAccess_MACOS_Release.dmg: e3f1e91de8af95cd56ec95737669c3512f90cecbc6696579ae2be349e30327a7, AdobeGenP.dmg: f79b7cbc653696af0dbd867c0a5d47698bcfc05f63b665ad48018d2610b7e97b
- [Path] Affected installation directories – /Users/Shared/NW (and related dumped contents in stores)
- [Path] Example file paths observed – /Users/admin/Desktop/adwans/Builder/6987368329/generated_script.go
- [URL] Command and control reference – http://89.208.103.185:4000
Read more: https://www.cadosecurity.com/blog/from-the-depths-analyzing-the-cthulhu-stealer-malware-for-macos