New Cuckoo Malware Attacking macOS Users to Steal Sensitive Data
.webp "Original Cuckoo Malware Attacking macOS Customers to Build terminate Ravishing Records")
Cybersecurity researchers possess uncovered a brand recent malware strain dubbed “Cuckoo.”
This malicious tool reveals characteristics of both spyware and an infostealer, focused on both Intel and ARM-primarily based Macs with sophisticated ways to extract sensitive data.
Discovery and Analysis
The malware, named after the brood parasitic bird known for laying its eggs in the nests of more than a couple of birds, used to be first known on April 24, 2024.
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Menace Analysis, or DFIR departments? If that is so, you should presumably even be a part of an internet neighborhood of 400,000 goal security researchers:
- Staunch-time Detection
- Interactive Malware Analysis
- Easy to Learn by Original Safety Personnel contributors
- Get detailed experiences with maximum data
- Establish of abode Up Virtual Machine in Linux & all Windows OS Variations
- Have interaction with Malware Safely
While you’d are looking out to take a look at all these ingredients now with with out spending a dime get right of entry to to the sandbox:
It used to be found within a Mach-O binary file masquerading as a legitimate application known as DumpMediaSpotifyMusicConverter, which claims to remodel music from Spotify to MP3 layout.
Researchers from Kandji, a cybersecurity firm, found this malware after noticing unfamiliar behavior in an application downloaded from the rep feature dumpmedia[.]com.
Extra investigation published that the malware will possible be hosted on identical internet sites admire tunesolo[.]com, fonedog[.]com, tunesfun[.]com, and tunefab[.]com provide tools for ripping music from streaming companies and products.
Upon inspecting the contents of the application bundle for “DumpMedia Spotify Song Converter,” researchers found a suspicious Mach-O binary named “upd” within the macOS folder.
Time and all all over again, binaries within an application bundle are named after the application itself, making the name “upd” a well-known red flag.
Extra investigation published that this binary used to be signed ad hoc with out a developer ID.
This lack of a registered developer ID plan that macOS’s Gatekeeper security feature would initially block the application from running, requiring handbook user intervention to override and enable execution
johnlocke@macos-14 ~ % codesign -dvvv /Volumes/DumpMedia Spotify Music Converter 3.1.29/DumpMedia Spotify Music Converter.app/Contents/MacOS/upd Executable=/Volumes/DumpMedia Spotify Music Converter 3.1.29/DumpMedia Spotify Music Converter.app/Contents/MacOS/upd Identifier=upd.upd Format=app bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20400 size=1536 flags=0x2(adhoc) hashes=38+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha1=696343119e0a0686072f6a31d0edb29a5b8fd116 CandidateCDHashFull sha1=696343119e0a0686072f6a31d0edb29a5b8fd116 CandidateCDHash sha256=7a45639f768144799d608a4bbabf144fc1e3c016 CandidateCDHashFull sha256=7a45639f768144799d608a4bbabf144fc1e3c016a7d665775c6314a0c71540f1 Hash choices=sha1,sha256 CMSDigest=702fee1d3836cc14102ec2dfbf1e6706c2e359a8e38403d82789ba7d717cfc77 CMSDigestType=2 CDHash=7a45639f768144799d608a4bbabf144fc1e3c016 Signature=adhoc Info.plist entries=24 TeamIdentifier=not set Sealed Resources version=2 rules=13 files=242 Internal requirements count=0 size=12Modus Operandi
Cuckoo is designed to build a locale take a look at to avoid infecting devices in sure regions:
- Armenia (hy_AM)
- Belarus (be_BY)
- Kazakhstan (kk_KZ)
- Russia (ru_RU)
- Ukraine (uk_UA)
If the take a look at is handed, the malware proceeds with its malicious actions. It employs a incorrect application bundle to deceive customers into downloading and running the malware.
As soon as carried out, it gains persistence on the host by putting in a LaunchAgent, guaranteeing it stays active even after the system reboots.
The malware can raise out instructions to extract hardware data, clutch currently running processes, and query for installed applications.
It can presumably additionally additionally defend terminate screenshots and harvest data from plenty of sources, including iCloud Keychain, Apple Notes, internet browsers, and cryptocurrency wallets.
Spying and Infostealing Capabilities
The Cuckoo’s well-known feature is to buy as noteworthy data as possible from the contaminated system.
It searches for files related to explicit applications and categorizes the collected data utilizing a keyword observed in community communications.
This entails sensitive data equivalent to passwords, system get data, hostnames, and usernames, which will possible be then sent to a Remark and Alter server.
System profiler direct to manufacture hardware data:
10001248c __builtin_strcpy(dest: &systemProfilerCMD, src: "system_profiler SPHardwareDataTyt,")
100012498 XOR_func(&systemProfilerCMD, 0x23)
1000124a4 char* x0_14 = popenCMD(&systemProfilerCMD, 1)
Cuckoo employs plenty of evasion ways to defend its presence on the contaminated machine discreetly.
It encrypts its community visitors and completely executes its malicious ingredients below explicit instances.
Moreover, it sets up a LaunchAgent to be poke that it runs on a conventional foundation, securing its foothold on the system.
Safety Measures
To provide protection to against such threats, customers must retain their tool as a lot as this level and patched, expend reputable anti-malware tools, and avoid downloading applications from untrusted sources.
Traditional scans with as a lot as this level antivirus tool can abet detect and get rid of such malicious applications.
The invention of the Cuckoo malware highlights the rising sophistication of threats focused on macOS, a platform as soon as regarded as quite protected against such assaults.
This incident underscores the need for trusty vigilance and vital security measures to provide protection to sensitive data from cybercriminals.
Because the cybersecurity neighborhood continues to be conscious and analyze this threat, customers are entreated to prevent told about primarily the most novel security practices and to put in force instructed retaining measures to safeguard their digital environments.
Indicators of Compromise
DMGS
- Spotify-music-converter.dmg: 254663d6f4968b220795e0742284f9a846f995ba66590d97562e8f19049ffd4b
MACH-OS
- DumpMediaSpotifyMusicConverter: 1827db474aa94870aafdd63bdc25d61799c2f405ef94e88432e8e212dfa51ac7
- TuneSoloAppleMusicConverter: d8c3c7eedd41b35a9a30a99727b9e0b47e652b8f601b58e2c20e2a7d30ce14a8
- TuneFunAppleMusicConverter: 39f1224d7d71100f86651012c87c181a545b0a1606edc49131730f8c5b56bdb7
- FoneDogToolkitForAndroid: a709dacc4d741926a7f04cad40a22adfc12dd7406f016dd668dd98725686a2dc
DOMAINS/IPS
- http://146[.]70[.]80[.]123/static[.]php
- http://146[.]70[.]80[.]123/index[.]php
- http://tunesolo[.]com
- http://fonedog[.]com
- http://tunesfun[.]com
- http://dumpmedia[.]com
- http://tunefab[.]com
Source credit : cybersecuritynews.com
