Researchers have found a new malware that steals information from Apple macOS systems and aims to stay undetected on compromised hosts.
Kandji gave the malware, which runs on both Intel and Arm-based Macs, the nickname "Cuckoo." It is a universal Mach-O binary.
Some websites like dumpmedia.com, tunesolo.com, fonedog.com, tunesfun.com, and tunefab.com host the binary, which claims to provide free and paid tools for ripping music from streaming services and converting it into MP3. However, the exact distribution method is currently unknown.
To collect host information and verify that the compromised machine is not located in Armenia, Belarus, Kazakhstan, Russia, or Ukraine, it is necessary to use the disk image file downloaded from the websites. Only in the event that the locale check is successful will the malicious binary run.
Moreover, it establishes persistence through a LaunchAgent—a method previously employed by various malware families, including ZuRu-overlapping backdoors on macOS and XLoader, RustBucket, and JavaGO.
In order to trick users into entering their system passwords for privilege escalation, Cuckoo uses osascript, just like the MacStealer macOS stealer malware.
According to researchers Adam Kohler and Christopher Lopez, this malware specifically targeted files related to specific applications with the intention of extracting as much data as possible from the system.
Not only can it take screenshots and collect data from iCloud Keychain, Apple Notes, web browsers, cryptocurrency wallets, and apps such as Discord, FileZilla, Steam, and Telegram, but it can also execute a variety of commands to extract hardware information and capture currently running processes.
