New Cuckoo Malware Attacking macOS Users to Steal Data


Cybersecurity researchers have uncovered a new malware strain dubbed “Cuckoo.”

This malicious software exhibits characteristics of both spyware and an infostealer, targeting both Intel and ARM-based Macs with sophisticated tactics to extract sensitive information.

Discovery and Analysis

The malware, named after the brood parasitic bird known for laying its eggs in the nests of other birds, was first identified on April 24, 2024.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:


It was discovered within a Mach-O binary file masquerading as a legitimate application called DumpMediaSpotifyMusicConverter, which claims to convert music from Spotify to MP3 format.

Dump Media Spotify Music Converter
Dump Media Spotify Music Converter

Researchers from Kandji, a cybersecurity firm, discovered this malware after noticing unusual behavior in an application downloaded from the website dumpmedia[.]com.

Further investigation revealed that the malware is also hosted on similar websites like tunesolo[.]com, fonedog[.]com, tunesfun[.]com, and tunefab[.]com offer tools for ripping music from streaming services.

Upon examining the contents of the application bundle for “DumpMedia Spotify Music Converter,” researchers discovered a suspicious Mach-O binary named “upd” within the macOS folder.

Commonly, binaries within an application bundle are named after the application itself, making the name “upd” a significant red flag.

Further investigation revealed that this binary was signed ad hoc without a developer ID.

This lack of a registered developer ID means that macOS’s Gatekeeper security feature would initially block the application from running, requiring manual user intervention to override and allow execution

johnlocke@macos-14 ~ % codesign -dvvv /Volumes/DumpMedia Spotify Music Converter 3.1.29/DumpMedia Spotify Music Converter.app/Contents/MacOS/upd

Executable=/Volumes/DumpMedia Spotify Music Converter 3.1.29/DumpMedia Spotify Music Converter.app/Contents/MacOS/upd

Identifier=upd.upd

Format=app bundle with Mach-O universal (x86_64 arm64)

CodeDirectory v=20400 size=1536 flags=0x2(adhoc) hashes=38+7 location=embedded

Hash type=sha256 size=32

CandidateCDHash sha1=696343119e0a0686072f6a31d0edb29a5b8fd116

CandidateCDHashFull sha1=696343119e0a0686072f6a31d0edb29a5b8fd116

CandidateCDHash sha256=7a45639f768144799d608a4bbabf144fc1e3c016

CandidateCDHashFull sha256=7a45639f768144799d608a4bbabf144fc1e3c016a7d665775c6314a0c71540f1

Hash choices=sha1,sha256

CMSDigest=702fee1d3836cc14102ec2dfbf1e6706c2e359a8e38403d82789ba7d717cfc77

CMSDigestType=2

CDHash=7a45639f768144799d608a4bbabf144fc1e3c016

Signature=adhoc

Info.plist entries=24

TeamIdentifier=not set

Sealed Resources version=2 rules=13 files=242

Internal requirements count=0 size=12

Modus Operandi

Cuckoo is designed to perform a locale check to avoid infecting devices in certain regions:

  • Armenia (hy_AM)
  • Belarus (be_BY)
  • Kazakhstan (kk_KZ)
  • Russia (ru_RU)
  • Ukraine (uk_UA)

If the check is passed, the malware proceeds with its malicious activities. It employs a fake application bundle to deceive users into downloading and running the malware.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.

Once executed, it gains persistence on the host by installing a LaunchAgent, ensuring it remains active even after the system reboots.

The malware can execute commands to extract hardware information, capture currently running processes, and query for installed applications.

It can also take screenshots and harvest data from various sources, including iCloud Keychain, Apple Notes, web browsers, and cryptocurrency wallets.

Spying and Infostealing Capabilities

The Cuckoo’s primary function is to gather as much information as possible from the infected system.

It searches for files associated with specific applications and categorizes the collected data using a keyword observed in network communications.

This includes sensitive information such as passwords, system build info, hostnames, and usernames, which are then sent to a Command and Control server.

System profiler command to obtain hardware information: 

10001248c    __builtin_strcpy(dest: &systemProfilerCMD, src: "system_profiler SPHardwareDataTyt,")
100012498    XOR_func(&systemProfilerCMD, 0x23)
1000124a4    char* x0_14 = popenCMD(&systemProfilerCMD, 1)

Cuckoo employs various evasion tactics to maintain its presence on the infected machine discreetly.

It encrypts its network traffic and only executes its malicious components under specific conditions.

Additionally, it sets up a LaunchAgent to ensure it runs regularly, securing its foothold on the system.

Safety Measures

To protect against such threats, users must keep their software updated and patched, use reputable anti-malware tools, and avoid downloading applications from untrusted sources.

Regular scans with updated antivirus software can help detect and remove such malicious programs.

The discovery of the Cuckoo malware highlights the increasing sophistication of threats targeting macOS, a platform once considered relatively safe from such attacks.

This incident underscores the need for continuous vigilance and robust security measures to protect sensitive data from cybercriminals.

As the cybersecurity community continues to monitor and analyze this threat, users are urged to stay informed about the latest security practices and to implement recommended protective measures to safeguard their digital environments.

Indicators of Compromise

DMGS

  • Spotify-music-converter.dmg: 254663d6f4968b220795e0742284f9a846f995ba66590d97562e8f19049ffd4b  

MACH-OS

  • DumpMediaSpotifyMusicConverter: 1827db474aa94870aafdd63bdc25d61799c2f405ef94e88432e8e212dfa51ac7
  • TuneSoloAppleMusicConverter: d8c3c7eedd41b35a9a30a99727b9e0b47e652b8f601b58e2c20e2a7d30ce14a8
  • TuneFunAppleMusicConverter: 39f1224d7d71100f86651012c87c181a545b0a1606edc49131730f8c5b56bdb7
  • FoneDogToolkitForAndroid: a709dacc4d741926a7f04cad40a22adfc12dd7406f016dd668dd98725686a2dc

DOMAINS/IPS

  • http://146[.]70[.]80[.]123/static[.]php
  • http://146[.]70[.]80[.]123/index[.]php
  • http://tunesolo[.]com
  • http://fonedog[.]com
  • http://tunesfun[.]com
  • http://dumpmedia[.]com
  • http://tunefab[.]com 

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide



Source link