Arm and Intel-based Macs are being targeted by a new dangerous malware, dubbed Cuckoo. It comes as a trojan, disguising itself as legitimate software such as music converter apps. Then, it spreads its infostealer wings and lays spyware.
Researchers from cybersecurity firm Kandji have discovered a new universal malicious executable that can run on both Intel and ARM-based Apple Mac computers.
First observed under the name “DumpMediaSpotifyMusicConverter,” the malware is distributed through malicious software installers disguised as apps for converting music to MP3 format from services like Spotify.
“On further investigation, we found it to be more widespread. Not only were other applications hosted on the DumpMedia site found to be malicious, but also those on additional websites hosting similar tools,” the report reads.
“So far, we have found that the websites tunesolo[.]com, fonedog[.]com, tunesfun[.]com, tunefab[.]com are hosting malicious applications containing the same malware.”
Each website appears very similar, offering free and paid versions of applications dedicated to ripping music from streaming services and to iOS and Android recovery.
Researchers named the malware after the bird that “lays its eggs in the nests of other birds and steals the host's resources for the gain of its young.”
What does Cuckoo do?
Cuckoo’s success requires some user interaction to install initially. Instead of dragging the app into the application folder, it asks users to right-click and open it. The bundle contains both a legitimate application and an executable without a vetted signature or a developer ID. Therefore, the user needs to allow it manually.
If the unsuspecting user runs Cuckoo, it checks the user locale – the creators of malware did not want to infect devices in five countries: Armenia, Belarus, Kazakhstan, Russia, and Ukraine. For them, the executable opens the SpotifyMusicConverter application.
For others, Cuckoo immediately starts gathering detailed host hardware information, such as hardware ID, OS version, running processes, etc.
Then, it tries to capture the user’s password using the prompt “macOS needs to access System Settings.” If the user accepts further prompts, Cuckoo gains access to the Finder, microphone, and downloads.
“We observed Cuckoo copying files related to Safari, Notes, and Keychain to temporary locations,” researchers Adam Kohler and Christopher Lopez said. “Paths to files of interest – including bookmarks, cookies, and history – are created and passed as arguments to functions to open and read from these files.”
While ordinary stealers do not set persistence, Cuckoo also acts like spyware by running a launch agent every 60 seconds for persistent access on the machine.
Not only can Cuckoo exfiltrate passwords, crypto wallet secrets, or browser information, but it also has screen capture or audio recording functionality. However, it often needs to ask the user’s permission to access sensitive information.
To hide its true intentions, the malware finally launches SpotifyMusicConverter.
Cuckoo appears to be sophisticated and multi-faceted macOS malware. Therefore, users should be cautious and only choose software from trusted sources.
Your email address will not be published. Required fields are markedmarked