Researchers have unveiled a new malware strain named “Cuckoo,” combining features of spyware and infostealers, designed to target both Intel and ARM-based Macs, employing advanced methods to extract sensitive data.
All About Cuckoo Malware
The malware, named after the brood parasitic bird known for its habit of laying eggs in the nests of other birds, was first identified on April 24, 2024.
Disguised within a Mach-O binary file posing as a legitimate application named DumpMediaSpotifyMusicConverter, it claims to convert music from Spotify to MP3 format.
Kandji cybersecurity researchers unearthed this malware while investigating irregularities in an application downloaded from dumpmedia[.]com. Subsequent exploration showed similar malicious activity on sites like tunesolo[.]com, fonedog[.]com, tunesfun[.]com, and tunefab[.]com, all providing tools for ripping music from streaming services.
Within the “DumpMedia Spotify Music Converter” application bundle, researchers found a dubious Mach-O binary named “upd” in the macOS folder.
Typically, binaries in an application bundle share the application’s name, making “upd” stand out as suspicious. Upon deeper inspection, it was found that this binary lacked a developer ID, signifying ad hoc signing. Without a registered developer ID, macOS’s Gatekeeper security would block the application’s execution by default, necessitating manual user intervention to override and run it.
Cuckoo malware conducts a locale check to avoid infecting devices in specific regions: Armenia (hy_AM), Belarus (be_BY), Kazakhstan (kk_KZ), Russia (ru_RU), and Ukraine (uk_UA). If the check is successful, the malware proceeds with its malicious activities. It utilizes a fake application bundle to trick users into downloading and executing the malware.
Upon execution, the malware establishes persistence on the host by installing a LaunchAgent, ensuring it remains active post-system reboots. It can execute commands to extract hardware information, capture running processes, and query installed applications.
Additionally, it can take screenshots and harvest data from iCloud Keychain, Apple Notes, web browsers, and cryptocurrency wallets.
Cuckoo’s main objective is to collect extensive information from the compromised system.
It targets files linked to particular applications, categorizing data using keywords found in network communications. This encompasses sensitive details like passwords, system build information, hostnames, and usernames, which are subsequently transmitted to a Command and Control server.
The system profiler command to obtain hardware information is:
10001248c __builtin_strcpy(dest: &systemProfilerCMD, src: “system_profiler SPHardwareDataTy\t,”)
100012498 XOR_func(&systemProfilerCMD, 0x23)
1000124a4 char* x0_14 = popenCMD(&systemProfilerCMD, 1)
Cuckoo utilizes several evasion techniques to discreetly sustain its presence on the compromised device.
It encrypts network traffic and selectively activates its malicious elements under predetermined circumstances.
Moreover, it establishes a LaunchAgent to ensure consistent operation, fortifying its position on the system.
Indicators of Compromise
DMGS
- Spotify-music-converter.dmg: 254663d6f4968b220795e0742284f9a846f995ba66590d97562e8f19049ffd4b
MACH-OS
- DumpMediaSpotifyMusicConverter: 1827db474aa94870aafdd63bdc25d61799c2f405ef94e88432e8e212dfa51ac7
- TuneSoloAppleMusicConverter: d8c3c7eedd41b35a9a30a99727b9e0b47e652b8f601b58e2c20e2a7d30ce14a8
- TuneFunAppleMusicConverter: 39f1224d7d71100f86651012c87c181a545b0a1606edc49131730f8c5b56bdb7
- FoneDogToolkitForAndroid: a709dacc4d741926a7f04cad40a22adfc12dd7406f016dd668dd98725686a2dc
DOMAINS/IPS
- http://146[.]70[.]80[.]123/static[.]php
- http://146[.]70[.]80[.]123/index[.]php
- http://tunesolo[.]com
- http://fonedog[.]com
- http://tunesfun[.]com
- http://dumpmedia[.]com
- http://tunefab[.]com
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment