New ‘Cuckoo’ Mac Malware Mimics Homebrew, Threatens User Data
Security researchers at Intego have uncovered a new variant of the “Cuckoo” Mac malware, a strain of the notorious Atomic macOS Stealer (AMOS). This latest variant, discovered on May 15th, employs a sophisticated social engineering tactic by mimicking the popular Homebrew package manager to trick users into downloading and executing malicious code.
AMOS first appeared in late April 2023, marketed as malware-as-a-service on Telegram for $1,000 per month. Over the past year, numerous AMOS variants have emerged, with Intego documenting various campaigns in September 2023 and February 2024. The malware is often distributed through malicious Google Ads, which appear indistinguishable from legitimate ads, leading unsuspecting users to download infected files.
A fake Homebrew site, part of an AMOS/Cuckoo Mac malware campaign
On May 15, a researcher named Alden published a blog post revealing a new Cuckoo variant. This malware pretends to be the popular macOS package manager, Homebrew. The fake Homebrew page tricks users into copying and pasting a command into their Mac’s Terminal app. Despite its suspicious nature, the page’s convincing design could deceive even experienced users.
The real Homebrew site. Ironically, it has a longer, more suspicious-looking install URL
Intego’s research team discovered that the malicious script and initial binary had changed mere hours after Alden’s post. The new bash script, though slightly altered to evade antivirus detection, still functions as a data-stealing tool. More intriguingly, the updated Mach-O binary now includes VM detection capabilities, making it more challenging for malware analysts to study.
The latest Cuckoo variant checks if it’s running within VirtualBox, VMware, or Parallels environments, a tactic likely implemented in response to Alden’s findings. This anti-VM feature complicates efforts to reverse-engineer the malware, demonstrating the adaptive nature of these threats.
The new Cuckoo variant, like its predecessors, steals sensitive data such as passwords, cookies, autofill information, and cryptocurrency wallets. The ongoing use of poisoned Google Ads for distribution underscores the importance of cautious browsing and downloading practices.
Users are urged to exercise caution when downloading software, avoid clicking on suspicious links, and prioritize downloading from trusted sources. Additionally, keeping security software updated and maintaining regular backups can provide an extra layer of protection against such threats.
