Cybersecurity experts have identified a new information-stealing malware targeting macOS systems, designed to maintain persistence on infected devices and function as spyware. Named Cuckoo by Kandji, the malware is a universal Mach-O binary capable of running on both Intel- and Arm-based Macs.
The distribution method is currently unclear, but it appears the binary is hosted on sites like dumpmedia[.]com, tunesolo[.]com, fonedog[.]com, tunesfun[.]com, and tunefab[.]com, which offer applications for ripping music from streaming services and converting it into MP3 format.
The disk image file downloaded from these websites initiates a bash shell to collect host information and verify that the machine is not located in Armenia, Belarus, Kazakhstan, Russia, or Ukraine. The malware executes only if this locale check is passed.
Cuckoo establishes persistence using a LaunchAgent, a method previously used by other malware like RustBucket, XLoader, JaskaGO, and a macOS backdoor linked to ZuRu.
Similar to the MacStealer malware, Cuckoo uses osascript to display a fake password prompt, tricking users into entering their system passwords for privilege escalation.
“This malware queries specific files associated with various applications to gather as much information as possible from the system,” noted researchers.
Cuckoo can execute commands to extract hardware information, capture running processes, query installed apps, take screenshots, and collect data from iCloud Keychain, Apple Notes, web browsers, crypto wallets, and applications like Discord, FileZilla, Steam, and Telegram.
“Each malicious application contains another application bundle within its resource directory,” the researchers explained. “All bundles, except those on fonedog[.]com, are signed and have a valid Developer ID of Yian Technology Shenzhen Co., Ltd (VRBJ4VRP). The website fonedog[.]com hosted an Android recovery tool, and the bundle has a developer ID of FoneDog Technology Limited (CUAU2GTG98).”
This discovery follows a recent revelation by the Apple device management company of another stealer malware, CloudChat, which masquerades as a privacy-oriented messaging app and targets macOS users whose IP addresses do not geolocate to China. CloudChat steals crypto private keys copied to the clipboard and data from wallet extensions on Google Chrome.
Additionally, a new variant of the notorious AdLoad malware, written in Go and named Rload (aka Lador), has been found. It evades the Apple XProtect malware signature list and is compiled solely for Intel x86_64 architecture.
The specific distribution methods remain unclear, but these droppers are typically embedded in cracked or trojanized apps distributed by malicious websites.
AdLoad, a prevalent adware campaign since at least 2017, is known for hijacking search engine results and injecting ads into web pages for monetary gain by redirecting users’ web traffic through an adversary-controlled web proxy.
Preventing Cuckoo spyware infections involves downloading applications only from trusted and official sources. Users should be wary of websites offering free versions of software that normally require purchase. Keeping the macOS and all installed applications up to date with the latest security patches is crucial. Implementing robust endpoint security solutions can help detect and block spyware.
