The malware called Cthulhu is a recent threat that affects MacOS users and has a peculiarity, which you may have guessed by reading the title of the post: it is specifically designed to steal cryptocurrencies.
This malware targets cryptocurrency wallets stored on affected systems and has the ability to extract sensitive information, such as private keys and credentials, which can be used to empty victims' cryptocurrency wallets.
So if you want to know a little more about Cthulhu, what he does, how he is built and above all, how you can fight him, we advise you to continue reading this post where we will give you all the details. Let’s begin!
Features of Cthulhu malware
Unlike many other types of malware that typically target Windows or Android systems, Cthulhu has been designed to specifically target MacOS users, a platform that has traditionally been considered more secure and less prone to malware infections.
And as we have indicated on other occasions, the fact that macOS is a platform with fewer users does not make it invulnerable and Gaining market share has its downsides, such as sparking the interest of attackers.
Cthulhu's Goal
In order to steal your cryptocurrencies, the malware looks for wallets that you have stored locally on your infected device.
Once you find them, Cthulhu extracts private keys and other critical information that allows attackers to transfer funds to their own accounts and since cryptocurrencies are something without control and with little or no traceability… the theft would be covered.
How this malware is distributed
The exact distribution method of Cthulhu is not entirely clear, but like many other types of malware, it could be distributed via malicious email attachments, pirated or fake software downloads, compromised websites, or by exploiting vulnerabilities in operating system software.
Specifically, it is rumored that It was being distributed as “cracks” for popular games like Diablo, World of Warcraft or Minecraft, and also hidden in certain mods of these, as well as in “Jack Sparrow” versions of CleanMyMacX.
But the antivirus will be able to detect Cthulhu, right?
Let's be honest, this malware has an easy time spreading due to the relatively low adoption rate of security software for macOS. But we assume that you are a regular reader of SoydeMac and that you have listened to our advice. Tips we give you about security, do not?
But even for a decent antivirus it is difficult to detect malware, since it seems that Cthulhu has certain advanced evasion capabilities to avoid detection. by antivirus and security software on macOS, including techniques such as encrypting its code, using obfuscation mechanisms, or leveraging legitimate permissions to avoid raising suspicions.
Let's get geeky: How did they give birth to Cthulhu?
It's all well and good that you already know what this malware is all about, but here we're going to give you some more clues about how the malware is designed so that you know what to expect when you see this Lovecraftian beast looming on your Mac.
The Cthulhu Programming Language: A Software Chimera
Without having the source code in front of us, we believe it is likely that Cthulhu is written in Objective-C or Swift, the most widely used programming languages for developing applications on macOS, which would allow it to integrate deeply with the operating system and evade native malware detection techniques.
But also You could use parts in C or C++ for sections that require closer execution to the system, such as memory management or manipulation of system files, since these are the languages on which these services are built.
Understanding malware: a virus is made of small modules
The malware could be divided into several modules, each of which performs a specific function:
Initial infection module
This module is responsible for executing the malicious code on the victim's system, which could take advantage of vulnerabilities in third-party applications or trick the user into run a seemingly benign file (for example, a PDF or a pirated game software installer) to enter the system.
Persistence module
Once the malware is executed, this module ensures that it remains on the system even after a reboot. To achieve persistence, Cthulhu may modify system configuration files.
And within this would come the Install startup scripts in macOS startup directories (/Library/LaunchDaemons or /Library/LaunchAgents) or use process injection techniques to run within processes legitimate of the system.
Evasion module
To avoid detection, Cthulhu could use several evasion techniques, such as:
- Encryption and obfuscation: Encrypting parts of the code to prevent them from being recognized by antivirus engines. Here we also have the possibility of obfuscating your code so that it is difficult for analysts to read and understand.
- Security Disablement: Try disabling system security features such as Gatekeeper or XProtect, which are native macOS protections.
- Security Activity Monitoring: Detect the execution of security tools and temporarily disable their malicious activity to avoid detection.
Information gathering module: the key to stealing cryptocurrencies
Thanks to this module, The virus scans the system for files of known cryptocurrency wallets (for example, application configuration files such as Electrum, Exodus, or similar).
Once you detect them, access the wallet files and extract the private keys and recovery seeds, which are then sent to a command and control server (C2) controlled by the attackers.
It is also likely that this phase will see macOS clipboard monitoring, where Cthulhu could monitor the clipboard for cryptocurrency addresses copied by the user. Upon detecting a wallet address, the malware could replace it with the attacker’s address, thus redirecting cryptocurrency transfers to the attacker’s account and we would have a “big mess”.
C2 Server Communication Module
Through secure protocols such as HTTPS or WebSocket, the virus could communicate with the command and control server, sending stolen data and receiving new instructions, all linked to techniques that make it more difficult to track, such as the use of proxy servers, traffic encryption, and frequent changes in the domains of C2 servers.
Cthulhu makes one thing clear: it is necessary to protect oneself
While in the end we are talking about yet another virus in the world of cybersecurity, it is a clear wake-up call for all macOS users: Friends, it's time to install an antivirus.
Protecting our computers is our responsibility and no system is invulnerable: even the most outdated and rare operating system has some malware “running around” that can compromise the security of your computer and the integrity of your data.
Now, it is up to you to be protected… or vulnerable. What kind of user do you want to be? I have it clear.