From the Depths: Analyzing the Cthulhu Stealer Malware for macOS

Aug. 23, 2024, 10 a.m.

Description

This report analyzes Cthulhu Stealer, a malware-as-a-service targeting macOS users to steal credentials and cryptocurrency wallets. It explores the malware's functionality, including prompting users for passwords, dumping keychain data, and exfiltrating stolen information. The analysis compares Cthulhu Stealer to Atomic Stealer, another macOS malware with similar capabilities, and provides insights into the malware's operators and distribution methods via underground forums.

External References

https://www.cadosecurity.com/blog/from-the-depths-analyzing-the-cthulhu-stealer-malware-for-macos
https://otx.alienvault.com/pulse/66c853a35a6f07522e8ebde9
Tags
cryptocurrency
stealer
macos
golang
atomic stealer
2024-08-23
maas
cthulhu stealer

Date

  • Created: Aug. 23, 2024, 9:17 a.m.
  • Published: Aug. 23, 2024, 9:17 a.m.
  • Modified: Aug. 23, 2024, 10 a.m.

Indicators

  • f79b7cbc653696af0dbd867c0a5d47698bcfc05f63b665ad48018d2610b7e97b
  • e3f1e91de8af95cd56ec95737669c3512f90cecbc6696579ae2be349e30327a7
  • de33b7fb6f3d77101f81822c58540c87bd7323896913130268b9ce24f8c61e24
  • 96f80fef3323e5bc0ce067cd7a93b9739174e29f786b09357125550a033b0288
  • 6483094f7784c424891644a85d5535688c8969666e16a194d397dc66779b0b12
  • 89.208.103.185
  • http://89.208.103.185:4000/notification_archive
  • http://89.208.103.185:4000/autocheckbytes
  • http://89.208.103.185

Attack Patterns

  • Cthulhu Stealer
  • Atomic Stealer
  • Cthulhu Team