“Cuckoo” Malware Lands on Macs, Steals Data, and Spies on Users

Cuckoo malware

Security researchers at Kandji have found a dangerous new strain of macOS malware. Dubbed “Cuckoo,” this nasty piece of code combines the worst aspects of spyware and info-stealers, designed to pilfer sensitive data and monitor user activity on infected Macs.

Cuckoo malware

The malware has been aptly named “Cuckoo” after the cuckoo bird, known for its cunning nature of laying eggs in the nests of other birds. Similarly, the Cuckoo malware infiltrates computers unsuspectingly and exploits their resources to steal information and spy on users.

The primary distribution method for Cuckoo involves websites that host both free and paid versions of seemingly legitimate applications. These applications, often related to music extraction and conversion from streaming services to MP3 formats, serve as a trojan horse for the malware. Once a user downloads and opens the disk image file from these deceptive websites, a bash shell is triggered, setting the stage for further malicious activities.

One of the distinctive features of Cuckoo is its initial check to determine the geographical location of the infected system. The malware specifically avoids systems located in Armenia, Kazakhstan, Russia, Belarus, and Ukraine, suggesting a targeted approach in its operations.

Unlike typical infostealers, Cuckoo establishes persistence on the infected machines using a LaunchAgent. This technique, previously seen in malware families like XLoader, JaskaGO, and RustBucket, allows Cuckoo not only to survive reboot cycles but also to maintain a stealthy presence on the device.

For privilege escalation, Cuckoo cunningly mimics legitimate macOS password prompts using osascript, similar to tactics employed by the notorious MacStealer malware. This method deceives users into unknowingly granting administrative privileges to the malware.

Cuckoo is particularly invasive due to its ability to gather a wide range of data. This includes hardware information, running processes, installed applications, and sensitive data from web browsers, cryptocurrency wallets, and various software applications. It communicates with its command and control (C2) server using sockets and the curl API, allowing attackers to send commands and retrieve stolen data efficiently.

Security researchers suspect there could be more Cuckoo-infected apps out in the wild. Maintaining vigilance and employing strong cybersecurity practices are essential to safeguarding your Mac from this sneaky new threat.