Cuckoo Stealer Takes Aim at Mac Systems

mac computer

Security researchers have detected a fresh information thief aimed at Apple macOS systems, designed to establish persistence on affected machines and operate as spyware. Known as Cuckoo by Kandji, this malware is a universal Mach-O binary compatible with both Intel- and Arm-based Macs.

The precise method of distribution remains unclear, though evidence suggests the binary is hosted on websites like dumpmedia[.]com, tunesolo[.]com, fonedog[.]com, tunesfun[.]com, and tunefab[.]com, which claim to offer various versions of applications for ripping music from streaming services to MP3.

Upon downloading the disk image file from these sites, a bash shell is launched to gather host information and confirm the compromised machine is not in Armenia, Belarus, Kazakhstan, Russia, or Ukraine, with the malicious binary only executing if this check is successful.

Cuckoo Stealer Mode of Operation

The malware establishes persistence through a LaunchAgent, a method previously used by other malware families like RustBucket, XLoader, JaskaGO, and a macOS backdoor similar to ZuRu.

Similar to the MacStealer macOS malware, Cuckoo also uses osascript to present a fake password prompt, tricking users into entering their system passwords for privilege escalation.

According to researchers, the malware scans for specific files linked to particular applications in an attempt to gather extensive system information. It performs various commands to extract hardware details, capture running processes, query installed applications, take screenshots, and gather data from iCloud Keychain, Apple Notes, web browsers, crypto wallets, and apps like Discord, FileZilla, Steam, and Telegram.

The disclosure follows the recent exposure by an Apple device management company of another stealer malware called CloudChat, posing as a privacy-focused messaging app capable of compromising macOS users outside China.

CloudChat operates by seizing crypto private keys from the clipboard and data from wallet extensions on Google Chrome.

Additionally, a new variant of the well-known AdLoad malware written in Go, named Rload (or Lador), has been discovered. It is crafted to evade Apple's XProtect malware signature list and compiled exclusively for Intel x86_64 architecture.

By Zaib
May 7, 2024
Computer Security, Mac Malware
English
May 7, 2024
Computer Security, Mac Malware

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Error: Ox800VDS Pop-up Scam

1 month ago

Softcnapp Potentially Unwanted Application

3 months ago

Bgzq Ransomware is Based on Djvu

15 days ago

Remor.xyz Browser Hijacker

1 month ago

Bgjs Ransomware Encrypts Victim Data

15 days ago

Related Posts

Adware

FrequencyRemote Adware Affects Mac Systems

After examining FrequencyRemote, our team has determined that its primary function is to display irritating advertisements to users. These types of applications are commonly known as adware, which refers to software... Read more

April 10, 2023
Computer Security

Atomic Stealer Mac Malware Distributed Through Malvertising

A recent malvertising campaign has been detected, distributing an updated version of macOS theft malware known as Atomic Stealer or AMOS, indicating active maintenance by its creator. Atomic Stealer, a readily... Read more

September 8, 2023
Mac Malware

Atomic Stealer Mac Malware Distributed on Telegram

Recently, cybersecurity experts uncovered a new information-stealing malware called Atomic macOS Stealer (AMOS), which is being sold by a threat actor on the messaging app Telegram. AMOS is specifically designed to... Read more

April 27, 2023
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.