Malware

Malware Cuckoo – Previously Unknown Infosteler Spyware Steals Data From MacOS

Security researchers have uncovered a previously undetected malware threat for macOS that exhibits characteristics of both an infostealer and spyware. Dubbed “Cuckoo” after the brood parasitic bird, this malicious code infiltrates systems and steals resources for its own gain.

The malware was first spotted on April 24th, 2024 in a Mach-O binary file disguised as “DumpMediaSpotifyMusicConverter” – an application that claims to convert music from Spotify to MP3 format. Analysis reveals Cuckoo is a universal binary capable of running on both Intel and ARM-based Macs.

Cuckoo’s Infiltration Tactics

The malware is delivered through a disk image (DMG) file downloaded from the dumpmedia[.]com website. Once installed, it performs a series of checks to avoid detection and determine if the infected system is a viable target.

Kandji’s researchers found that Cuckoo queries the system’s universally unique identifier (UUID) and checks the device’s locale settings. It specifically looks for systems located in Armenia, Belarus, Kazakhstan, Russia, and Ukraine – avoiding infection on machines from those regions.

Cuckoo initiates its data exfiltration and surveillance routines if deemed a viable target. It is programmed to steal a wide array of sensitive information including:

  • Keychain data containing passwords and cryptographic keys
  • Screen captures and webcam snapshots
  • Browsing history and cookies
  • Messaging app data like WhatsApp and Telegram logs
  • Cryptocurrency wallet details
  • SSH keys and other authentication credentials

The stolen data is then exfiltrated to a command-and-control server controlled by the malware operators.

To maintain a persistent presence, Cuckoo installs a launch agent that persists across reboots. It also employs various evasion tactics like encrypting network traffic and only running malicious components if certain conditions are met.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Prevention and Response

Kandji and other security firms have updated their detections to identify and block Cuckoo. However, preventing such threats requires a layered defense approach:

  • Keep software updated and patched
  • Use reputable anti-malware tools
  • Avoid downloading apps from untrusted sources
  • Implement endpoint detection and response (EDR) solutions

If infected, organizations should initiate incident response procedures – isolating impacted systems, changing exposed credentials, and working to remove Cuckoo and any other malware discovered.

The discovery highlights the increasing sophistication of macOS threats and need for robust security controls, even on desktop platforms. Kandji’s analysis provides a detailed look at how Cuckoo operates to help the cybersecurity community defend against this invasive malware cuckoo.

Indicators of Compromise

DMGS

  • Spotify-music-converter.dmg: 254663d6f4968b220795e0742284f9a846f995ba66590d97562e8f19049ffd4b

MACH-OS

  • DumpMediaSpotifyMusicConverter: 1827db474aa94870aafdd63bdc25d61799c2f405ef94e88432e8e212dfa51ac7
  • TuneSoloAppleMusicConverter: d8c3c7eedd41b35a9a30a99727b9e0b47e652b8f601b58e2c20e2a7d30ce14a8
  • TuneFunAppleMusicConverter: 39f1224d7d71100f86651012c87c181a545b0a1606edc49131730f8c5b56bdb7
  • FoneDogToolkitForAndroid: a709dacc4d741926a7f04cad40a22adfc12dd7406f016dd668dd98725686a2dc

DOMAINS/IPS

  • http://146[.]70[.]80[.]123/static[.]php
  • http://146[.]70[.]80[.]123/index[.]php
  • http://tunesolo[.]com
  • http://fonedog[.]com
  • http://tunesfun[.]com
  • http://dumpmedia[.]com
  • http://tunefab[.]com

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

CrowdStrike Releases Fix for Updates Causing Windows to Enter BSOD Loop

CrowdStrike has issued a fix for a problematic update that caused numerous Windows systems to…

1 hour ago

Beware of Free VPNs that Install Malicious Botnets

Virtual Private Networks (VPNs) have become essential tools for internet users. However, the allure of…

5 hours ago

HPE Critical 3PAR Processor Flaw Let Remote Attackers Bypass Authentication

Hewlett Packard Enterprise (HPE) has addressed a critical vulnerability in its 3PAR Service Processor software…

8 hours ago

Chrome Security Update: Patch for Multiple Flaws that Leads to Remote Code Execution

Google has announced the release of Chrome 126, a critical security update that addresses 10…

9 hours ago

CrowdStrike Update Pushing Windows Machines Into a BSOD Loop

A recent update to the CrowdStrike Falcon sensor is causing major issues for Windows users…

10 hours ago

Oracle WebLogic Server Vulnerability Allows Complete Server Take Over

A critical vulnerability identified as CVE-2024-21181 has been discovered in the Oracle WebLogic Server, posing…

11 hours ago