Malware Cuckoo – Previously Unknown Infosteler Spyware Steals Data From MacOS

Security researchers have uncovered a beforehand undetected malware threat for macOS that presentations characteristics of each an infostealer and spyware and spyware. Dubbed “Cuckoo” after the brood parasitic hen, this malicious code infiltrates systems and steals resources for its gain attain.

The malware became as soon as first observed on April 24th, 2024 in a Mach-O binary file disguised as “DumpMediaSpotifyMusicConverter” – an application that claims to rework song from Spotify to MP3 structure. Prognosis presentations Cuckoo is a universal binary in a position to running on each Intel and ARM-primarily based Macs.

Cuckoo’s Infiltration Ways

The malware is delivered thru a disk image (DMG) file downloaded from the dumpmedia[.]com net pickle. As soon as installed, it performs a series of assessments to e-book clear of detection and resolve if the infected draw is a viable aim.

Kandji’s researchers realized that Cuckoo queries the draw’s universally irregular identifier (UUID) and assessments the machine’s locale settings. It namely looks for systems positioned in Armenia, Belarus, Kazakhstan, Russia, and Ukraine – fending off infection on machines from those regions.

Cuckoo initiates its files exfiltration and surveillance routines if deemed a viable aim. It’s programmed to take a broad vary of sensitive files alongside side:

• Keychain files containing passwords and cryptographic keys
• Display camouflage captures and webcam snapshots
• Browsing history and cookies
• Messaging app files cherish WhatsApp and Telegram logs
• Cryptocurrency pockets shrimp print
• SSH keys and other authentication credentials

The stolen files is then exfiltrated to a state-and-control server controlled by the malware operators.

To address up a power presence, Cuckoo installs a open agent that persists across reboots. It also employs a quantity of evasion systems cherish encrypting community traffic and only running malicious parts if obvious cases are met.

Prevention and Response

Kandji and other security firms have updated their detections to identify and block Cuckoo. Nonetheless, preventing such threats requires a layered protection methodology:

• Set up tool updated and patched
• Use genuine anti-malware instruments
• Set up remote from downloading apps from untrusted sources
• Enforce endpoint detection and response (EDR) solutions

If infected, organizations must restful provoke incident response procedures – setting apart impacted systems, changing uncovered credentials, and working to put off Cuckoo and each other malware realized.

The invention highlights the increasing sophistication of macOS threats and desire for out of the ordinary security controls, even on desktop platforms. Kandji’s evaluation gives a detailed see at how Cuckoo operates to encourage the cybersecurity neighborhood defend in incompatibility invasive malware cuckoo.

Indicators of Compromise

DMGS

• Spotify-song-converter.dmg: 254663d6f4968b220795e0742284f9a846f995ba66590d97562e8f19049ffd4b

MACH-OS

• DumpMediaSpotifyMusicConverter: 1827db474aa94870aafdd63bdc25d61799c2f405ef94e88432e8e212dfa51ac7
• TuneSoloAppleMusicConverter: d8c3c7eedd41b35a9a30a99727b9e0b47e652b8f601b58e2c20e2a7d30ce14a8
• TuneFunAppleMusicConverter: 39f1224d7d71100f86651012c87c181a545b0a1606edc49131730f8c5b56bdb7
• FoneDogToolkitForAndroid: a709dacc4d741926a7f04cad40a22adfc12dd7406f016dd668dd98725686a2dc

DOMAINS/IPS

• http://146[.]70[.]80[.]123/static[.]php
• http://146[.]70[.]80[.]123/index[.]php
• http://tunesolo[.]com
• http://fonedog[.]com
• http://tunesfun[.]com
• http://dumpmedia[.]com
• http://tunefab[.]com