Workforce Identity
Endpoint Management
Endpoint Detection & Response
Vulnerability Management
Compliance Automation
Trust Center
Cthulhu is a macOS stealer that masquerades as legitimate software to deceive users into installing it. Once executed, it collects sensitive information, including system data, browser credentials, cryptocurrency wallets, and game account details. Cthulhu has also been known to target enterprise environments to conduct cyber espionage campaigns.
Symptoms
You might observe the following artifacts associated with this threat:
- Unexpected prompts requesting system passwords.
- Requests for crypto wallet passwords.
- Creation of a directory at containing text files with stolen data.
Technical Breakdown
Cthulhu is often distributed as an Apple disk image (DMG). The malware is usually written in Go and masquerades as legitimate software, such as:
- CleanMyMac
- Grand Theft Auto IV (appears to be a typo for VI)
- Adobe GenP
The malware then creates a directory storing the collected credentials in text files. Cthulhu then utilizes tools such as Chainbreak to dump Keychain data. An archive is then created containing the stolen data which Cthulhu then sends to its command-and-control server (C2).
Some of Cthulhu's capabilities include:
- Stealing browser cookies.
- Exfiltrating cryptocurrency wallets.
- Accessing Telegram account information.
- Collecting game account details, such as Minecraft and Battle.net data.
- Dumping Keychain passwords.
Next Steps
Kandji Endpoint Detection & Response (EDR) automatically removes detected threats when file monitoring is set to Protect.
While the malicious file is removed, it can leave behind artifacts that need to be cleaned manually.
In the future, avoid downloading and installing software from torrent sources or untrusted websites. Ensure that all applications are obtained from official and reputable sources to maintain system integrity and security.