HQ/EMEAFind out how we can help your business
Cuckoo malware is a newly discovered malicious entity that targets macOS users. Based on reports, this malware can steal passwords, browser history, cryptocurrency wallet details, and other information.
Malware operators disguise this Cuckoo as a music converter app similar to Spotify, and it may run on Apple Mac machines with Intel or ARM processors. Moreover, these operators trick unaware users by pretending to convert Spotify songs to MP3 format.
Once installed, it executes the data campaign, prioritising stealing the macOS keychain, visual proof, browsing history, messaging app data, cryptocurrency wallet information, and authentication credentials.
In addition, the malware can self-install by asking users to start an app without a verified signature or developer ID. It detects the user’s location and collects host hardware information. Users can access the Finder, microphone, and downloads if they allow the malware to acquire further privileges.
Next, Cuckoo attacks the macOS keychain since it stores passwords, login credentials, and cryptographic keys, compromising online accounts and sensitive data access. It can also take screenshots and camera images from messaging apps like WhatsApp and Telegram, disclosing users’ online activity and posing a substantial financial risk to digital asset owners.
Researchers also revealed that this new Mac malware can move files from Safari, Notes, and Keychain to temporary locations and create pathways to files of interest. This malware can also establish persistence by running a launch agent every minute.
Cuckoo malware does not have a definitive operating group but tends to avoid specific countries.
The Cuckoo malware campaign is not directly connected to a single threat group. Still, researchers discovered that it does not target devices in countries such as Armenia, Belarus, Kazakhstan, Russia, and Ukraine.
Furthermore, it implements persistence using LaunchAgent, a feature in RustBucket, XLoader, JaskaGO, and a backdoor linked with the Chinese threat actor ZuRu. The malware was signed with a genuine Chinese developer ID, and all bundles were signed.
Researchers advise users to avoid downloading and installing apps from untrusted sources to avoid getting infected by this new malware. Lastly, users should also use reputable antivirus and anti-malware solutions to prevent infection that could lead to data theft and financial loss.
