Cuckoo Stealer Takes Aim at Mac Systems
Security researchers have detected a fresh information thief aimed at Apple macOS systems, designed to establish persistence on affected machines and operate as spyware. Known as Cuckoo by Kandji, this malware is a universal Mach-O binary compatible with both Intel- and Arm-based Macs.
The precise method of distribution remains unclear, though evidence suggests the binary is hosted on websites like dumpmedia[.]com, tunesolo[.]com, fonedog[.]com, tunesfun[.]com, and tunefab[.]com, which claim to offer various versions of applications for ripping music from streaming services to MP3.
Upon downloading the disk image file from these sites, a bash shell is launched to gather host information and confirm the compromised machine is not in Armenia, Belarus, Kazakhstan, Russia, or Ukraine, with the malicious binary only executing if this check is successful.
Cuckoo Stealer Mode of Operation
The malware establishes persistence through a LaunchAgent, a method previously used by other malware families like RustBucket, XLoader, JaskaGO, and a macOS backdoor similar to ZuRu.
Similar to the MacStealer macOS malware, Cuckoo also uses osascript to present a fake password prompt, tricking users into entering their system passwords for privilege escalation.
According to researchers, the malware scans for specific files linked to particular applications in an attempt to gather extensive system information. It performs various commands to extract hardware details, capture running processes, query installed applications, take screenshots, and gather data from iCloud Keychain, Apple Notes, web browsers, crypto wallets, and apps like Discord, FileZilla, Steam, and Telegram.
The disclosure follows the recent exposure by an Apple device management company of another stealer malware called CloudChat, posing as a privacy-focused messaging app capable of compromising macOS users outside China.
CloudChat operates by seizing crypto private keys from the clipboard and data from wallet extensions on Google Chrome.
Additionally, a new variant of the well-known AdLoad malware written in Go, named Rload (or Lador), has been discovered. It is crafted to evade Apple's XProtect malware signature list and compiled exclusively for Intel x86_64 architecture.