Malware Cuckoo – An Infosteler Spyware Steals Data From MacOS


Security researchers have uncovered a previously undetected malware threat for macOS that exhibits characteristics of both an infostealer and spyware. Dubbed “Cuckoo” after the brood parasitic bird, this malicious code infiltrates systems and steals resources for its own gain.

The malware was first spotted on April 24th, 2024 in a Mach-O binary file disguised as “DumpMediaSpotifyMusicConverter” – an application that claims to convert music from Spotify to MP3 format. Analysis reveals Cuckoo is a universal binary capable of running on both Intel and ARM-based Macs.

Malware Cuckoo - An Infosteler Spyware Steals Data From MacOS
Malware Cuckoo - An Infosteler Spyware Steals Data From MacOS 2

Cuckoo’s Infiltration Tactics

The malware is delivered through a disk image (DMG) file downloaded from the dumpmedia[.]com website. Once installed, it performs a series of checks to avoid detection and determine if the infected system is a viable target.

Kandji’s researchers found that Cuckoo queries the system’s universally unique identifier (UUID) and checks the device’s locale settings. It specifically looks for systems located in Armenia, Belarus, Kazakhstan, Russia, and Ukraine – avoiding infection on machines from those regions.

If deemed a viable target, Cuckoo initiates its data exfiltration and surveillance routines. It is programmed to steal a wide array of sensitive information including:

  • Keychain data containing passwords and cryptographic keys
  • Screen captures and webcam snapshots
  • Browsing history and cookies
  • Messaging app data like WhatsApp and Telegram logs
  • Cryptocurrency wallet details
  • SSH keys and other authentication credentials

The stolen data is then exfiltrated to a command-and-control server controlled by the malware operators.

To maintain a persistent presence, Cuckoo installs a launch agent that persists across reboots. It also employs various evasion tactics like encrypting network traffic and only running malicious components if certain conditions are met.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:


“Cuckoo is an advanced multi-stage threat that combines infostealer capabilities to vacuum up sensitive data with spyware’s surveillance features,” said Rick Bradshaw, Kandji’s Head of Cybersecurity. “Its evasion techniques and targeted nature also make it a potent threat.”

Prevention and Response

Kandji and other security firms have updated their detections to identify and block Cuckoo. However, preventing such threats requires a layered defense approach:

  • Keep software updated and patched
  • Use reputable anti-malware tools
  • Avoid downloading apps from untrusted sources
  • Implement endpoint detection and response (EDR) solutions

If infected, organizations should initiate incident response procedures – isolating impacted systems, changing exposed credentials, and working to remove Cuckoo and any other malware discovered.

The discovery highlights the increasing sophistication of macOS threats and need for robust security controls, even on desktop platforms. Kandji’s analysis provides a detailed look at how Cuckoo operates to help the cybersecurity community defend against this invasive malware cuckoo.

Indicators of Compromise

DMGS

  • Spotify-music-converter.dmg: 254663d6f4968b220795e0742284f9a846f995ba66590d97562e8f19049ffd4b  

MACH-OS

  • DumpMediaSpotifyMusicConverter: 1827db474aa94870aafdd63bdc25d61799c2f405ef94e88432e8e212dfa51ac7
  • TuneSoloAppleMusicConverter: d8c3c7eedd41b35a9a30a99727b9e0b47e652b8f601b58e2c20e2a7d30ce14a8
  • TuneFunAppleMusicConverter: 39f1224d7d71100f86651012c87c181a545b0a1606edc49131730f8c5b56bdb7
  • FoneDogToolkitForAndroid: a709dacc4d741926a7f04cad40a22adfc12dd7406f016dd668dd98725686a2dc

DOMAINS/IPS

  • http://146[.]70[.]80[.]123/static[.]php
  • http://146[.]70[.]80[.]123/index[.]php
  • http://tunesolo[.]com
  • http://fonedog[.]com
  • http://tunesfun[.]com
  • http://dumpmedia[.]com
  • http://tunefab[.]com 

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free



Source link