Cuckoo Stealer
Cybersecurity researchers have unearthed a new threat targeting Apple macOS systems, designed to establish persistent access on compromised hosts and operate as spyware. Named Cuckoo, this malware is a universal Mach-O binary capable of running on both Intel and Arm-based Macs.
The specific method of distribution remains uncertain. However, there are signs that the binary is hosted on multiple websites (dumpmedia.com, tunesolo.com, fonedog.com, tunesfun.com, and tunefab.com) purporting to provide free and paid applications for ripping music from streaming services and converting it to MP3 format.
Table of Contents
The Cuckoo Stealer Establishes Persistence on the Infected Mac
The disk image file obtained from these websites initiates a bash shell to collect host details. It ensures the compromised machine is not located in Armenia, Belarus, Kazakhstan, Russia or Ukraine. The fraudulent binary runs only if the locale check succeeds.
Furthermore, it establishes persistence using a LaunchAgent, a method previously utilized by various malware families such as RustBucket, XLoader, JaskaGO, and a macOS backdoor that shares similarities with ZuRu.
Similar to the MacStealer macOS malware, Cuckoo employs osascript to present a fake password prompt, deceiving users into entering their system passwords for privilege escalation. This malware also scans for specific files linked to particular applications in an effort to gather extensive system information.
The Cuckoo Stealer Compromises Sensitive Information from Breached Devices
The Cuckoo Malware is designed to execute a sequence of commands aimed at extracting hardware details, capturing active processes, querying installed applications, taking screenshots, and harvesting data from various sources, including iCloud Keychain, Apple Notes, Web browsers, crypto wallets, and specific applications like Discord, FileZilla, Steam and Telegram.
Each threatening application includes an embedded application bundle within its resource directory. Most of these bundles, with the exception of those from fonedog.com, are signed and carry a valid Developer ID attributed to Yian Technology Shenzhen Co., Ltd (VRBJ4VRP). Notably, fonedog.com hosted an Android recovery tool along with other offerings, and its additional application bundle features a developer ID from FoneDog Technology Limited (CUAU2GTG98).
Mac Devices Have Become a Frequent Target of Malware Attacks
Cybercriminals have been deploying malware tools aimed at Mac devices, with one prominent example being the AdLoad malware family. Recently, information security researchers have raised alarms about a new variant of this notorious malware called Rload (also known as Lador), written in the Go programming language. Rload is designed to bypass Apple's XProtect malware signature list and is compiled specifically for Intel x86_64 architecture.
These binaries act as initial droppers for subsequent payload stages. Currently, the exact distribution methods remain unclear. However, these droppers are typically found embedded in cracked or trojanized applications distributed through malicious websites.
AdLoad, an adware campaign affecting macOS since at least 2017, is notorious for hijacking search engine results and injecting advertisements into Web pages. This is accomplished through a man-in-the-middle web proxy setup, redirecting user web traffic through the attacker's infrastructure for financial gain.
