A novel Cuckoo malware strain is targeting macOS users

Home/Internet Security, MacOS, malicious cyber actors, Malware, Security Advisory, Security Update/A novel Cuckoo malware strain is targeting macOS users

A novel Cuckoo malware strain is targeting macOS users

Researchers have unveiled a new malware strain named “Cuckoo,” combining features of spyware and infostealers, designed to target both Intel and ARM-based Macs, employing advanced methods to extract sensitive data.

All About Cuckoo Malware

The malware, named after the brood parasitic bird known for its habit of laying eggs in the nests of other birds, was first identified on April 24, 2024.

Disguised within a Mach-O binary file posing as a legitimate application named DumpMediaSpotifyMusicConverter, it claims to convert music from Spotify to MP3 format.

Kandji cybersecurity researchers unearthed this malware while investigating irregularities in an application downloaded from dumpmedia[.]com. Subsequent exploration showed similar malicious activity on sites like tunesolo[.]com, fonedog[.]com, tunesfun[.]com, and tunefab[.]com, all providing tools for ripping music from streaming services.

Within the “DumpMedia Spotify Music Converter” application bundle, researchers found a dubious Mach-O binary named “upd” in the macOS folder.

Typically, binaries in an application bundle share the application’s name, making “upd” stand out as suspicious. Upon deeper inspection, it was found that this binary lacked a developer ID, signifying ad hoc signing. Without a registered developer ID, macOS’s Gatekeeper security would block the application’s execution by default, necessitating manual user intervention to override and run it.

Cuckoo malware conducts a locale check to avoid infecting devices in specific regions: Armenia (hy_AM), Belarus (be_BY), Kazakhstan (kk_KZ), Russia (ru_RU), and Ukraine (uk_UA). If the check is successful, the malware proceeds with its malicious activities. It utilizes a fake application bundle to trick users into downloading and executing the malware.

Upon execution, the malware establishes persistence on the host by installing a LaunchAgent, ensuring it remains active post-system reboots. It can execute commands to extract hardware information, capture running processes, and query installed applications.

Additionally, it can take screenshots and harvest data from iCloud Keychain, Apple Notes, web browsers, and cryptocurrency wallets.

Cuckoo’s main objective is to collect extensive information from the compromised system.

It targets files linked to particular applications, categorizing data using keywords found in network communications. This encompasses sensitive details like passwords, system build information, hostnames, and usernames, which are subsequently transmitted to a Command and Control server.

The system profiler command to obtain hardware information is:

10001248c    __builtin_strcpy(dest: &systemProfilerCMD, src: “system_profiler SPHardwareDataTy\t,”)
100012498    XOR_func(&systemProfilerCMD, 0x23)
1000124a4    char* x0_14 = popenCMD(&systemProfilerCMD, 1)

Cuckoo utilizes several evasion techniques to discreetly sustain its presence on the compromised device.

It encrypts network traffic and selectively activates its malicious elements under predetermined circumstances.

Moreover, it establishes a LaunchAgent to ensure consistent operation, fortifying its position on the system.

Indicators of Compromise


  • Spotify-music-converter.dmg: 254663d6f4968b220795e0742284f9a846f995ba66590d97562e8f19049ffd4b  


  • DumpMediaSpotifyMusicConverter: 1827db474aa94870aafdd63bdc25d61799c2f405ef94e88432e8e212dfa51ac7
  • TuneSoloAppleMusicConverter: d8c3c7eedd41b35a9a30a99727b9e0b47e652b8f601b58e2c20e2a7d30ce14a8
  • TuneFunAppleMusicConverter: 39f1224d7d71100f86651012c87c181a545b0a1606edc49131730f8c5b56bdb7
  • FoneDogToolkitForAndroid: a709dacc4d741926a7f04cad40a22adfc12dd7406f016dd668dd98725686a2dc


  • http://146[.]70[.]80[.]123/static[.]php
  • http://146[.]70[.]80[.]123/index[.]php
  • http://tunesolo[.]com
  • http://fonedog[.]com
  • http://tunesfun[.]com
  • http://dumpmedia[.]com
  • http://tunefab[.]com

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!